CCSE R75 Student Manual

p?

Check Poinf

SOFTWARE TECHNOLOGIES LTD.

We Secure the Internet.

Check Point@ Certified Security Expert R75 STUDENT MANUAL

Version 2

3e SECURITY

Check Point Security Series

Check Point Certified Security Expert R75 PIN: 704575

Check Poinf

SOFTWARE TECHNOLOGIES INC.

Copyright © Check Point Software Technologies Ltd. All rights reserved. Printed by Check Point Press A Division ofChcck Point Software Technologies Ltd.

DISCLAIMER OF WARRANTY Check Point Software Technologies Ltd. makes no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a panicular purpose or for any indirect special or consequential damages.

COPYRIGHT NOTICE No pan of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise. without prior written consent of Check Point Software Technologies Ltd. No patent liability is assumed with respect to the use of the information contained herein. while every precaution has been taken in the preparation of this publication, Check Point Soft~ ware Technologies Ltd. assumes no responsibility for errors or omissions. This publication and features described herein are subject to change withou t notice. Copyright (:I Check Point Software Technologies Ltd. All rights reserved. TRADEMARKS 0 2003-2012 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point 2200, Check Point 4000 Appliances, Check Point 4200, Cheek Point 4600, Check Point 4800, C heck Point 12000 Appliances, Check Point 12200 , Check Point 12400, Check Point 12600, Check Point 2 1400, Check Point 6100 Security System, Chcck Point Anti-Bot Software Blade, Check Point Application Control Software Blade, Check Point Data Loss Prevention, Check Point DLP, C heck Point DLP-l, Check Point Endpoint Security, Check Point Endpoint Security On Demand, the Check Point logo, Check Point Full Disk Encryption, Check Point GO, Check Point Horizon Manager, Check Point Identity Awareness, Check Point IPS, Check Point IPSec VPN, Check Point Media Encryption, Check Point Mobile, Check Point Mobile Access, Check Point NAC, Check Point Nctwork Voyagcr, Check Point OneCheck, Check Point R75, Check Point Security Gateway, Check Point Update Service, Check Point WebCheck. ClusterXL, Confidence inde)(ing, ConneetControl, Connectra, Conneetra Accelerator Card, Cooperative Enforcement, Cooperative Seeurity Alliance, CoreXL, DefcnseNet. DynamiclD, Endpoint Conncct VPN Client, Endpoint Security,

Eventia, Eventia Analyzer, Eventia Rcponer, Evcntia Suite, FireWall- I , FireWall-I GX, FireWall-1 SccureServer, FloodGate-I , Hacker 10, Hybrid Detection Engine, IM secure, INSPECT, INSPECT XL, Integ rity, Integrity Clientless Security, Integrity SecureClient, interSpcct, IP Appliances, IPS-I , IPS Software Blade, IPSO, R75 , Software Blade, IQ Engine, MailSafe, the More, better, Simpler Security logo, Multi-Domain Security Management, MultiSpcet, NG, NGX, Open Security Extension, OPSEC, OSF irewall, Pointsec, Pointsec Mobilc, Pointsec PC, Poimscc Protector, Policy Lifecycle Management,Power-I , Provider- I, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, Secure Virtunl Workspace, SecurcClienl, SecureClient Mobile, Secure Knowledge, SecurePlatform, SecurePlatform Pro, SccuRemotc, SecurcServer, SecureUpdate, SecureXL. SecureXL Turbocard, Security Management Portal, SecurityPower, Series 80 A ppliance, SiteManager-l, Smart- I, Smart Center, SmartCenter Power, SmanCemer Pro, SmartCenter UTM, SmanConsole, SmartDashboard, SmartDefense. Smart Defense Advisor, SmartEvent, Smancr Security, SmanLSM, SmartMap, SmartPortal, SmartProvisioning, Sman Reponer, SmartUpdate, Smart View, SmartView Monitor, SmanView Reponer, SmartVicw Status, SmartViewTracker, SmartWorkflow, SMP, SMP On-Demand, SocialGuard, SofaWare, Software Blade Architecture, the softwarcbladcs logo, SSL Network Extender, Stateful Clustering, Total Security, the totalsecurity logo, TrueVector, UserCheck, UTM-I , UTM-I Edge, UTM-I Edge Industrial, UTM- I Total Security, VPN-I, VPN- I Edge, VPN-l MASS, VPN-I Power, VPN- I Power Multi-core, VPN- J Power VSX, VPN-I Pro, VPN-I SecureClient, VPN-I SecuRemote, VPN-I SecurcServer, VPN- I UTM, VPN-I UTM Edge, VPN-I VE, VPN-I VSX, VSX, VSX-I , Web Intelligence, ZoneAlarm, ZoneAlarm Antivirus + Firewall, ZoneAlarm DataLock, ZoneAlarm Extreme Security, ZoneAlarm ForceField, ZoneAlann Free Firewall, ZoneAlarm Pro Firewall, ZoneAlarm Internet Security Suite, ZoneAlarm Security Toolbar, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names memioned herein arc trademarks or registered trademarks of their respective owners. The products described in this documcm arc protected by U,S. Patent No. 5,606,668, 5,835,726, 5,987,6 11 , 6,496,93 5, 6,873 ,988, 6,850,943 , 7, 165,076, 7,540,013,7,725 ,737 and 7,788,726 and may be protected by other U.S. Patents, foreign patents, or pending applications. DOWNLOAD AGREEMENT Any usc, access or download of any file , software, document or Software Subscription under the Check Point website and/or User Center is subject to the tenns of the Download Agreement. Please review the Download Agreement terms and conditio ns.

International Headquaners:

5 Ha' Solelim Street Tel Aviv 67897, Israel Tel : +972-3-753 4555

U.S. Headq uarters:

800 Bridge Parkway Redwood City, CA 94065 Tel: 650-628-2000 Fax : 650-654-4233

Technical Suppon , Education & Professional Serviccs:

6330 Commcrce Drive, Suite 120 Irving, TX 75063 Tel : 972-444-6612 Fax : 972-506-791 3 E-mail any comments or qucstions about our courseware to [email protected] . For questions or comments about other Cheek Point documentation, e-mail CP_ [email protected].

Document # :

DOC-Manual-CCSE-R75

Revision :

R75. 2

Content:

Mark Hoefl e, Steven Luc, Joey Witt

Graphics :

Je ffcry Holder, Chunm ing Jia

Contributors

Alpha & Beta Testing Tim Hall · Shadow Peak, Inc. Eli Faskha - Solunciones Seguras

Valeri Loukinc - DIData Ores Mcncns - West con Kory Kashkooli - The Network Trading Center Walee Herabut - The Enterprise Resources Training Company Yasushi Kono - ComputerLinks Vinny Brijlal - Unity Technology Solutions John Pease - ComputerLings Sandra Vanloon - Avnct Brian Crouch - Cadre Dan Hackney - Structured Communications

Marco Garcia - Dell SecureWorks Rajeev Gupta - Verison Edison Aguayo - Digiware Michael Endrizzi - Midpoint Technologies Test Development: Ken Finley - Check Point Check Point Technical Publications Team: Rochelle Fisher, Da ly Yam, Eli Har-Even, Micky Sapir, Paul Grigg, Richard Levine, Shira Rosenfield, Yaakov Simon

Check Point Technical Review: Mcnahcm Pitchon, Matt Stephenson, Patrick Polizzi, Khanh Nguyen. Dan Conway, Doug Rich

Contents

Preface: Check Point Certified Security Expert . . . . . . . .. .. .. .. . .. • ..... 1 IP Addresses and Classroom Configuration .............. . ...... • ..•..•......... 7 Check Point 3D Security ...................... . .. . ... . •. .• ........ . 8 Deployment Scenario .. . ... . .. . . . ..........• . • • • • . . .. . • . • . • • • . • . • • • •...... 10

Chapter 1: Advanced Upgrading ... . .. . .. . .. .. ...... ...... • . . .. . ... 11 Back up and Restore Security Gateways and Management Servers . . . . .• .. . . . . 13 Workflow .................................................. . ..•.. ... .. . 20 Upgrade Cluster Deployments ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • . . . . . .. . . . 22 Review Questions ... ...... . ...... . ..• . .. .. • .... • .......... • .....•........ 24

Chapter 2: Advanced Firewall .. . ..... . ..•... .•. . . . . . . •.... . . . . ... . 25 FircWall-Ilnfrast ructurc ......... . . . • . . • .. . • . . . . . . • . • .. . .. . • .. . . • • .. ...... 27 Security Gateway .... . .. .. . .. . . ..• . . . . .. • . .. . .. • . • . ... . • . .. . •• . • • . ....... 28 Kernel Tables . . . . . . . ... . ... • . . ..• ... . .... • .. . .• ..........•..•..•........ 37 FireWall· 1 Key Features ... . .. . . . .. . . .• ...... . . 40 N~

.. . . . . . . ..... . . . ... .. . .. .. . .... . . . .. . . ... . .. ..... . .. .. . . . . . . . .

FW Monitor ............ . .. •.•. . •..... • .. . ....•. • ... .. . .. ..

. .46 .. . 51

Review Questions . . .. .. . ....... . .......... . . • .. • . . . . . ... . . . . . •.. . . .... . . . 54

Chapter 3: Clustering and Acceleration .. ...... . . .. . .. . . ... . . . . . . .. . 55 Clustering and Acceleration . . ........ . . .. ... •. ... • .. . ..... . .... • .. •........ 57 ClustcrXL: Load Balancing .. . . . ... .. . . . . . . .. . . . .• ..... .. . . ....•.. • ........ 63 Main,tenancc Tasks and Tools .. .. . . . .• . . . •. •. . • .. • . . . .... • •. • . • • .. • . ..... . . 67 Management HA . . . . . . . . . . . . . . . . . . . . . . . • . . . . . . . • . • . . .. . . • . . •.. • . . . ... . . 69 SecureXL: Security Acceleration .. . .. . . . . • . . . . . . . . . . • . . . . . . . . • . . • . . .... 72 CorcXL: Multicore Acceleration .. . .... . . . . . . . .. . .... . . .. . . . ... . . ........... 8 1 Review Questions ........ .. ....... . . . . . • . •• . • . . •. . . . . ..• . . • . • • .. • .. . ..... 86

R75 Training Manuul

Table or Contents

Chapter 4: Advanced User Management . . . .. .. . . .. . .. . .. . . . .. _ . . . . . 87 User Management ............................................ • .. •... ..... 89 Troubleshooting User Authentication and SmartDirectory (LDAP) ..... • .. • ...... .. 97 Identity Awarcness ................................. .. ..... ........ ..... . 100 Review Questions ...... ... . ....... ... ... . . . ..... . .• . . • . . .. . .. 106

Chapter 5: Advanced IPsec VPN and Remote Access .. . ... .. . . .. . . . . 107 Advanced VPN Concepts and Practices . ... ... ..... .... .. ... .... .. .... . ...... \ 09 Remote Access VPNs ............................. .......... .. • . • •....... 117 Multiple Entry Point VPNs ................ .. . .... ... ... .... .. .. . ..... ..... 120 Tunncl Management . . . . . . . . . . . . • . . • . . . . . . . . . . . .. . . ............ .. 122 Troubleshooting ......... .. ......•..•....• . .• .. . . . ... . . . • .... . ..... ... .. 127 VPN Debug ........... . .• •. ... • . • . ...• .••. . •. . .• ..•. ...•. . . .• . ......... 128 Review Questions ........................ • ..•.... •. .. . . ................. 134

Chapter 6: Auditing and Reporting ..... . ..................... .. . .. 135 Auditing and Reporting Processes .... ..... . •.• .. .• .. •. . . . •...• . . . . . .. . ..... 137 SmartEvent .. ... ... . .. . ... . .. ... .... .. ... .. . .. .. .. .. ... . . . .. . . . .... .. IH SmartEvent Architecture . . . . . . . . . .. •.. .. . . ... ... •.. . ..•..•.. .. . . 14 J SmartReporter . . .. . ... . ..... •... . • .... • .. • . .•.... . . • .... •....•.. • ....... 152 Review Questions ................. . .. . ..••. . • . .. . .. . . • . . • .. .. •.......... 155

Appendix A: User Mode Debug . . . ... .. .. ... . .... .. .... ... .. ...... 157 Running User-Mode Debug ... . ....... .. ..... ...... • .. ..... ........ . . ..... 158

Appendix B: Chapter Questions and Answers ... . • ....• ....• ... ... 173 Chapter I - Advanced Upgrading . . . . . . . . . . . . . . . . . . ...... . .• • . .. .... ... 174 Chapter 2 - Advanced Firewall . . . . . . . . . . . . . . . . . . . . . . • . . . . . . . . . . . . . . . .. 175 Chapter 3 - Clustcring and Acceleration ..... . ... . .... ... •.. , • • .. . • •. • • . . ... . . J76 Chapter 4 - Advanced User Management. . . . . . . . . . . . . . . . . . . . . . ......... \ 77 Chapter 5 • Advanced IPsec VPN and Remote Access ..... • .... • .... • .. • ..... . . 178 Chapter 6 · Auditing and Reporting ....... .... .. . ..... . • .. . . . . .. . •. . . .. . .... 179

u

Check Point Certified Secllrity Expert

Preface

Check Point Certified Security Expert

Check PoInt Certified Security Expert

Introduction Welcome to the Check Point Certified Security Expert (CCSE) course. This course is intended to provide you with an understanding of key concepts and skills necessary to effectively build, modify, deploy and troubleshoot a network using the Check Point Security Firewall . The CCSE course provides you with the following key clements: e Advanced and in-depth explanation of FireWall- l technology •

Key tips and techniques for troubleshooting FireWall-l

•

Advanced upgrading concepts and practices

•

Clusteri ng firewall, management concepts and practices

•

Software acceleration features

•

Advanced VPN concepts and implementations

•

Reporting tools, deployment options and features

This course provides hands-on training for bui lding and co nfiguring a network using the Check Point Security Gateway Software Blade using Windows & SecurePlatfonn. You will configure a Security Gateway in standalo ne and clustered deployments while imp[ememing certificate-based and re mote access VPNs using SmartConsole clients. You will also leam how to pcrfonn advanced troubleshooting tasks on the firewall.

Course Design This course is designcd for expert users and resellers who need to perfonn advanced deployment configurations of a Security Gateway. The following professionals benefit best from this course: •

System administrators

e Support analysts •

2

Network engineers

Check Point rprrifinJ 5;",.." .. ,,,, P .....O rl

Introduction

CCSE Course Prerequisites Successful completion of this course depends on knowledge of multiple disci plines related 10 network-security activities:

• UNIX and Windows operaling systems • Certificate management •

System administration

• CCSA certification •

Networking (TCP!IP)

Course Chapters and Objectives Chapter J: Advanced Upgrading 1. Perform a backup ofa Security Gateway and Management Server using your understanding of the differences between backups, snapshots, and upgradeexports.

2. Upgrade and troubleshoot a Management Server using a database migration. 3. Upgrade and troubleshoot a clustered Security Gateway deployment.

Chapter 2: Advanced Firewall 1. Using you r knowledge of Security Gateway infrastructure including chain modules, packet flow and kcmeltablcs, describe how to perform debugs on firewall processes.

Chapter 3: Advanced Clustering and Acceleration 1. Build, lest and troubleshoot a ClusterXL Load Sharing deployment on an enterprise network. 2. Build, test and troubleshoot a ClusterXL High Availability deployment on an enterprise network. 3. Build, test and troubleshoot a management HA deployment on an enterprise network. 4. Configure, maintain and troubleshoot SecureXL and CoreXL acceleration solutions on the corporate network traffic to ensure noted performance enhancement on the firewall.

3

Check Point Certified Securtty Expert

Chapter 4: Advanced User Management 1. Using an extemal user database such as LDAP, configure Smart Directory to incorporate user infonnation for authentication services on the network. 2. Manage internal and external user access across a VPN.

10

resources for Remole Access or

Chapter 5: Advanced IPsec VPN and Remote Access 1. Using your knowledge of fundamental YPN tunnel concepts, troubleshoot a site-Io-site or certificate-based VPN on a corporate gateway using lKEVicw, VPN log files and command-line debug tools. 2. Optimize VPN performance and availability by using Link Selection and Multiple Entry Point solutions. 3. Manage and test corporate VPN tunnels to allow for greater monitoring and scalability with multiple tunnels defined in a community including other VPN providers.

Chapter 6: Auditing and Reporting 1. Create Events or use existing event definitions to generate repons on specific network traffic using SmartRcportcr and Smart Event in order to provide industry compliance infonnation to management. 2. Using your knowledge of Smart Event architecture and module communication, troubleshoot report generation given command-line tools and debug-file infonnation.

4

Introduction

We begin our course with a study of firewall processes and procedures for Security Management Servers and Gateways. We will take a close look at user and kemel process, stateful inspection, and kernel tables, and note important troubleshooling guidelines. Take note of issues you have encountered in your experiences, and how they might have been addressed differently in your infrastructure. Review the course topology. Note the location of each server in relation to the Gateway, and how they are routed. Make sure you understand the purpose fo r each server, and the credentials used for accessing each scrver and the applications used. Finally, read through the chapter objectives. These guide you in understanding the purpose for the lectures and lab exercises.

Lab Setup The following is the sctup of your lab: •

The city sites arc configured expressly for the purposes of exercises in this course.

•

Unless otherwise noted by your inslluctor, the root password to all systems is: vpn123

Lab Topology This CCSE course was developed using VMware Workstation and as such all systems in the lab topology are vinual machines running on a single host machine. Your instructor will have information as to the specific settings and configuration requirements ofcach vinual machine configuration, if you nccd them.

Check Point Certified Security Expert

The lab topology is as fol lows: Starting Topology

,-- -,---'-- - - - --- - - - -SUrt;", lopology

..---.... ... --_ -.-- -.-------~- ~

'---'='--'- ----------Figure 1 -

Starting Lab Topology

The topology changes throughout the course of the labs. The fina l lopology is: Final Topology

--,

--,---.... .....--....--------_ . .. ... ._-.-.0_....

~

Figure 2 -

Final lab Topology

tP Addresses and Ct••• room Configuration

IP Addresses and Classroom Configuration The table below lists important infonnation concerning the staning configuration of the classroom topology. Refer to the "Starting Topology" map for a v isual reference. The "Final Topology" map represents the topology after the upgrade and Clustering Labs have been completed.

Atlantis_ GUI

GUI_Atlantis

cthO

10.1.1.201124

AT_MGMT_ I

AT_MGMT_ I

,thO

10.1.1.10 1/24

AT_MGMT_ 2

AT_MGMT_2

ethO

10.1.1.102/24

AT_GWY_I

AT_GWY_I

,thO

10.1.1.1 /24

ethl eth2

172.21.101.1 /8 \92.168.10.1 /24

elhO eth2

10.1.1.3/24 \72.21 . 101.318 \92.168. 10. 3/24

ADServer

elhO

10.1.1.125/24

UK GWY

elhO eth l

\0.9. 1.1 /24 172.29. 109.1 /8

AT_GWY_2

AT_GWY_2

,thl ADServer

UK_GUI UK GWY

TABLE I: [P Address Scheme

7

Check Point Certlned Security Expert

Check Point 3D Security Applying security measures to an organization's network is more than knowing how to push a policy, or building a cluster. It's about knowing how that po licy is going to affect network processes, whether the policy will impede employee's ability to get their job done, or whether the redundancy is needed more for management, o r a gatcway. The Check Point 3D vision is about ap plying polic ies to serve business needs, while enforcing network security centrally. minimizing impact to the users. Educating company employees about the merit of upholding secure business practices is part and parcel to good enforcement, because users need the resources the network provides to do the ir jobs most effectively. Users become part of the process of security by learning the risks, applying sa fe practices depending on their role in the organization, and understanding that keeping data safe protects their jobs. Thro ughout this course, keep in mind that to address the corporate policy, or to enforcc changes in the corporate security infrastructure impacts employee productivity. Security should be thought of as a process. and any security measure that is implemented must take into account the needs of the ind ividual within the context of corporate mandates.

Security is a Process What sets apart expert network administrators is the understanding that nothing in a network is ever 100% secure. New vulnerabilities in software become apparent daily, and security products must rush to keep pace with the ever growing threats to our data. Though product patches, upgrades, and new product releases provide some level of protection. there is a need to apply strict processes that recognize this inherent insecurity in products. Regular maintenance cycles must be implemented. Constant monitoring of evol ving eyber-attacks has become almost mandatory so that attack signatures arc updated. In order to be compliant according to the highest IT security standards today, a company's IT security policies must be transparent. Transparency in information security and information technology is all about having good processes, knowing how and why they work, documenting them thoroughly, and reponing on the result. The challenges to IT involve security, deployment, management, and fina lly compl iance. Sccurity is the number one concern, but though security can never be perfect, risk to your organization is still manageable.

8

Check Point Cerlifi"rJ SRrllrirv F:rn(>rr

Check Point 3D Securtty

A common way of thinking about security products is that they prevent threats to resource data. A better way to look at them is as tools to avoid risk. Threats will always eltist, and more will evolve that were never considered by the code developers, simply because the potential for threats is enonnous and impossible to predict. Some amount of risk is acceptable. however, and some amount is not. depending on the needs of an organization. Avoiding risk is a continuous process, or to put it another way, security processes define how an organization minimizes risk. In the same way banking institutions conduct double audits, and prov ide monitoring of your ATM card. organizations can implement safeguards on network traffic by creating strategic policies and automating IT processes. By automating monitoring, enforcement, and reporting of these policies, organizations learn employee and partner behavior regarding IT assets and intellectual property. In learning how the data is used, processes can be fine-tuned to mitigate risks even further. For eltample. despite malware protections, an endpoint is found to be infected by a key logger trojan. Unless a process is put in place that isolates that endpoint from infecting an entire enterprise network. much of the corporate data is at a high risk of being stolen. The followin g summarizes some guidelines to incorporating IT sC(;urity best practices, which directly apply to a typica l task list fo r a network administrator: 1. Perform a risk assessment, Know where your risks lie. Identify areas that show any potential for problems and assess the likelihood and level of impact accordingly. 2. Develop and enforce a policy. Use best practices and implement them heaviest at your most weakest point in your network. Consider the strictest enforcement at first, then apply eltceptions carefully based on needs assessments and role specific guidelines in order to minimize impact to productivity. 3. Address known vulnerabilities. Most common vulnerabilities exist in operating systems, popular applications. Web browsers, and virtual platfonns. 4. Control and Monitor devices. It is necessary to control what is moved on and off these devices. Monitor the devices for malicious software and provide sufficient controls to minimize impact to the corporate network in the event that safeguards don'c succeed. Also, decide what personnel or processes must be involved for the control to be implemented successfully. 5. Conduct audits. Periodic audits provide usefu l insight into the effectiveness of the policies and enforcement measures. Adjustments to the policies are made more effective by this insight, and should be part of the necessary maintenance process.

9

Check Point Certified Security Expert

Deployment Scenario For this course, assume you are a network administrator for a company called, Atlantis Corp. which provides out-sourccd customer contact management solutions for a wide range of call center services. The company employs about 2,000 employees worldwide, maintaining key departmcnts in finance, human resources, MIS, products, sales and corporate development. All of the major dcpartments are located at headquarters, and somc sales staff, technical support, MIS and data center personnel are located at the branch offices in the UK. A corporate firewall is already implemented. You have a dedicated server installed for the management, and SmartConsole clients running on a separate endpoint. In addition, you have remote users employed by Atlantis Corp., i.e., sales staff and technical services personnel that need to connect via VPN to headquarters:

,-.,..,

,.

~.

"--

Figure 3 - AUantis Corp

10

CHAPTER 1

Advanced Upgrading

Advanced Upgrading

Chapter 1 - Advanced Upgrading

Upgrades are used to save Cheek Point product configurations, Security Policies, and objects, so that Security Administrators do not need to re· create Gateway and Security Management Server configurations.

Chapter Objectives:

12

•

Perform a backup of a Security Gateway and Management Server using your understanding of the differences between backups, snapshots, and upgradeexports.

•

Upgrade and tro ubleshoot a Management Server using a database migration.

•

Upgrade and troubleshoot a clustered Security Gateway deploy ment.

Back up and Restore Security Gateways and Man.sem.nt Serve,.

Back up and Restore Security Gateways and Management Servers Check Point provides three methods for backing up and restoring (he operating system and networking parameters on open servers and appliances. e Snapshot and Revert •

Backup and Restore

•

Upgrade_export I Export

Each of these methods backs up certain parameters and has relative advantages and disadvantages (i.e., file size, speed, and portability).

Snapshot and Revert The Snapshot utility backs up everything including OS drivers, and is available only for SecurePlatform. It can be used to backup both firewall and management servers. However, the file generated from this utility is very large, and can only be restored to a device having exacliy the same state and configuration such as, operating system, Check Point version of SecurePlatfonn, and patch level. To take a snapshot, run the following command from cxpert mode:

anapshot_

13

Advanced Upgrading

When the Snapshot command is run, the system displays a serics o f options, as shown below:

Figure 1 - Snapshot Initiating Snapshot without any flags will put the file in the default location :

/var /CP snapshot /snapshots Additional flags arc available for designating a different location, including for selecting a TFTP/FTP server. To sec additional flags, type snapshot -h at the expert prompt. Perfonning a snapshot can take a as much as 25 minutes, and could interrupt your services. Therefore, it is recommended to conduct a snapshot during a maintenance window. The revert command restores the system from the snapshot file created as above. To initiate the reversion process, type revert at the expert command prompt, and revert -h for additional options.

Back up and Restore Security Gateways and Management Serve"

Snapshot ean also be perfonned on UTM- I and Powcr-l appliances. However, it must be initiated via the WebUI. Access the WebUI in the usual way from a browser, using the address https:/ / : 4434. Then, select Image Management in the Appliance menu. The following is an example of Image Management in the WebUI:

. - --"---'- -.. - _-_._-"-.-._-_ - .--.-

.

~--

,

~~~.~ .,-- ....., ~::'!,".--.."-------------------------------------~ .

..-.--.-.

--

-r-

...

Figure 2 - Snapshot

Note: The option to reven from a snapshot in the WebUI is performed from the same location in the I mage Management screen .

15

Advanced Upgrading

Backup and Restore The Backup utility backs up your Check Point configuration and your networking and operating system parameters, including routing, a nd is only available for SecurePlatform. This mechanism can be used to bac k up both firewall and management modules. The resulting backup file will be smallcr compared to a snapshot because it docsn't include drivers, and un like the snapshot, can be restored to a different machine. However, like snapshot, a backup can only be restored to a machine that has the same Operating System, Check Point version and patch level. Though a backup can be a restored to a different machine, no te that a backup includes machine information such as NIC interface MAC addresses.

Figure 3 - Restore

To run a backup, type backup at the expen prompt in SecurePlatfonn. Running a bac kup without any flags will store the.tgz fi le in the default location :

/var/CPbackup /backups On the UTM· I and Power· I appliances, the default location for storing backups is:

/var / log /CPbackup/backups You can assign another location fo r the file using a different command parameter, or select a TFTP/FTP server to upload the backup fi le. Use the backup - h command for a list of the available parameters.

Back up and Restore Securfty Gateways and Management Servers

Restoring from a backup file is initiated by typing restore at the expert command prompt, then selccling from the location options available.

It is possible to backup from the WebUI interface. This is typically the method used on UTM-l and Power-I Appliances. However, restore is not possible via thc WebUI in these instances.

Upgrade Tools The upgrade tools backs up all Cheek Point configurations, independent of hardware, operating system and Check Point version. Usc this utility to backup Check Point configuration settings on the management station. The migrate utility is intended for upgrades or migration of database information to new systems with hardware changes, and will not work when downgrading to an earlier Check Point version. The fil e size is smaller and depends on the size of your policy. Assuming the CPU on the machine is not over-loaded, it can be initiated on a live system without interrupting services. Run the migrate utility on SecurePlatfonn and Unux machines via the expert command line only, and via the command prompt in Windows. The upgrade tools can be found in the following R75direetory:

$FWDIR/bin/upgrade_ tools. The upgrade tools can also be downloaded from the Check Point Support site: http://supportcenter.checkpoint.com

Tl7( n'"inin~ Mrlnual

17

Advanced Upgrading

Saving Interface and Routing Information When upgrading severs running Check Point products, you may want to save interface and routing information as a precaution. This information can be retrieved by running the fo llowing commands on the appropriate p latform: .~~-t: "'.~~-n ~.IJ t.~ , . : . t . ""~~':'"'" ,

...

'. Windows

nelStat -m > routes.txt

Saves route infonnation to a text file.

Windows

ipconfig -a > ipconfig.txt

Saves interface information to a text fil e.

SecurePlatform

ifconfig > ifconfig.txt

Saves interface information to a text file .

SecurePlatfonn

copy /etc/syseonfig/ netowrk.C

Copies the file containing the route information to a location so that it can be retrieved.

~,--..",

-.~-

.~

TABLE I: Saving Interface and Routing InformatIOn

Backup Schedule Recommendations Perform backups using any of the methods described during maintenance windows to limit disruptions to services, CPU utilization, and time allotment. • Snapsbot - Perform snapshots at least once or before major changes, such as upgrades. •

Backup - Perform a backup every couple of months, depending on how frequently changes arc made to the network or policy.

•

Upgrade_exporUmigrate export - Export at least every month depending on changes to the network or policy, and before an upgrade or migration. This method can be performed anytime outside a maintenance window.

Test your backups with either the backup, upgrade_export, or migrate export files.

18

Check Poil!( Certified Securitv F::rrwrt

Back up and Re.tore Security Gateway. and Management Sef'Vers

Performing Upgrades Before upgrading a gateway or Security Managemenr server (SMS) to R75, you need to have a valid suppon contract that includes the software upgrade and major releases registered to your Check Point User Center account. The contract file is stored on Set:urity Management server and downloaded to security gateways during the upgrade process. Always upgrade your SMS before upgrading any gateways. As you proceed through the upgrade process, note that the process verifies a contract file is already present on the server. If not, you have the option of either downloading a file from the User Center, or importing a local contract file. You can e lect to continue without contract infonnation at a later date, but note that your licensing agreement with Check Point will remain in violation until you obtain the contract file. For addilional infonnation, refer to the R75 Installation and Upgrade Guide.

SMS Upgrade and Database Migration Typically, you begin an upgrade with a clean installation ofR75 on a different computer. You then migrate the managemenr databases from the source computer to the new one. During this process, you want to ensure that you prevent as much unnecessary downtime as possible, and pennit yourself the ability to test the new version before implementing it into production. Perfonning an initial installation on a clean system ensures this transition to production while meeting these requirements. Note that: •

The target computer must have the same set of products (or more) than the set of products installed on the source computer.

•

The SMS version on the new computer must be the same or greater than the version installed on the original.

• The migration will not be perfonned for the SmartReporter or SmanEvenr databases. A separate procedure is available for SmanReporter database migration.

,n

Workflow Typically, the procedure is as follows:

1. Prepare the source machine for export You will need to verify the upgrade path to your new version from your older one is supported. Refer to your newer version release notes. For example, if installing R7S, the source machine must be R65 or ialer. You will need to perform a logswitch to close the log files in Smart View Tracker in order to migrate existing log files. Run the pre_ upgradc_verifier utility and correct any errors resulting from the test. For a distributed deployment, run cpstop to stop all processes on the management. Using the upgrade tools utility, use the migrate export command to create the back up archive for all the Check Point configuration settings. Save this file to a safe location for export

to the target machine. 2. Install New Version on Target Pcrform a clean install of R75 (or later version) on a separate target machine. 3. Export Databases from Source

Expon the archive backup file to the new machine using SCP or some secure method of transfer.

4. Import Databases to Target Execute migrate import to impon the original database information to the new SMS.

5. Test Target Deployment The cpd process controls Secure Internal Communications (SIC), Policy installation. and shared-management capabilities between Check Point products and OPSEC-partner products. CPD listens on the Cer1ificate distribution par1, waiting for fwm to provide cpd wim its Cer1ificate. Debugging cpd can help you determine how to address communication problems w ith your upgraded SMS before deploying it into the network for the first time. For morc details about debugging cpd, refer to the settion at the cnd of this chapter.

6. Connect Target to Network Incorporate the new machine into the production environment by connecting it 10 the network, and disconnecting the original machine.

Workflow

This procedure applies to whether the upgrade is performed on ScturcPlatform. Linux. Windows or IPSO.

It is recommended to upgrade to a machine with the same IP address because licensing infonnation relies on the IP address of the server. However, s hould you wish to upgrade to a machine using a different IP, you must include a rule in the rulebase prior to performing the upgrade that permits traffi c from the new server to the Gateways. Then, on the target computer a fter the migmtion. update the SMS licenses with the new IP address, and remove the rule and object created before.

R7~

T,."i"i"., Matuml

21

Advanced Upgnllding

Upgrade Cluster Deployments When upgrading a clustered gateway deployment, you have three optional methods: •

Minimal Effon Upgrade

•

Zero Downtime

•

Full Connectivity Upgrade

Minimal Effort Upgrade This upgrade method to a cluster treats each individual cluster member as an individual gateway, assuming network downtime is pennincd. In this case, follow the same procedure for each gateway cluster member for upgrading as you would for a distributed deployment scenario.

Zero Downtime This method asswnes there is no network downtime pennitted, and all cluster members apan from one are upgraded first. To do this, you must enable broadcast mode on all the cluster members before beginning in order to avoid switching problems around the cluster. The command cphaconf set _ ccp broadcast must be applied to all the members. This action survives reboot and must be set back to multicast mode manually after aUthe members have been upgraded. Ensure upgraded licenses arc assigned to each cluster member using SmanUpdate. The upgrades on each member can be accomplished either in-place or by using SmanUpdate. Do not change the cluster mode on any of the cluster members prior to completing the upgrade. For example, if you arc running Load Sharing on the corporate cluster, do not change it to High Availability (HA) mode. Changes to the cluster mode should be appl ied after the upgrade. Push policy to the standby members after the secondary members have been upgraded. When you've done this. the primary member pol icy installation will fail. Run the cphaprob stat command to verifY the Ready status on the upgraded members, and a down status on the primary. Run cphastop on the primary member, and proceed with the final upgrade on this member. Traffic will be routed to the other members as you perfonn this upgrade.

22

Check Point Certified Secllritv F:XTH'rf

Upgrade Cluster Deployments

You must rcmember to run cphaconf set ccp mul ticast (assuming you don 't want to continue running in broadcast mode) and cphastart on all the clustcr members aftcr the primary has been upgraded.

Full Connectivity Upgrade Full Connectivity Upgrade (FCU) is only supported in the same major releases (R70 to R7 1. R7l to R7S). It is not supported across major releases (R65 to R70). This method assures synchronization between old and new cluster members without loss of connectivity. FCU is equivalent to a failover in a cluster where members arc of the same version. Think of old members as those gateways in a cluster that have not yet been upgraded (active state). New members arc those gateways in a cluster that have been upgraded (non active state). Also, whatever doesn't survive failover, will not survive an FCU. These limitations include security servers and services that arc marked as non-synced, local connections, and Tep connections that arc Tep streamed. In addition, you must verifY that the installed products on all the cluster members are the same by running the command:

fw ctl conn If your cluster has two members, you can treat the upgrade similarly to perfonning a Zero Downtime procedure, but before running cphastop on the final member, you must run the command fw fcu on the upgraded mcmber, then continue with thc proccss. Ifpcrfonning FeU on a clustcr with three or more mcmbers, you can either upgrade two members first using the Zero Downtime procedure, or upgrade only one member using the Zero Downtime procedure. In either cnse, you must run the command fw feu on the upgraded members bcfore continuing. For more than Ihree cluster members, you can divide the upgrade equally to ensure Ihe remaining members can handle the traffi c load during the upgrade proccss. The cphaprob feustat provides statislieal information regarding the upgrade process. You can run this command on any of the upgraded members.

23

Advanc.cl Upgrading

Practice and Review Practice Lab Lab I: Upgrading 10 Check Point R75

Review Questions 1. How long can it take to pcrfonn a snapshot?

2. Is it possible to backup from the WebUI interface?

3. What is a critical task for both Snapshots and Backups?

-CH- A-PT- E-R-2 - -

Advanced Firewall

25

Advanced Firewall

Chapter 2 - Advanced Firewall The Check Point Firewall Software Blade builds on the award-winning technology, fi rst offered in Check Point's FireWaU-I sol ution, to provide the industry's best gateway security with identity awareness. Check Point 's fircwalls are trusted by 100% of Fortune 100 companies and deployed by over 170,000 customers. Check Point products have demonstrated industry leadersh ip and continued innovation since the introduction of FireWall-I in 1994.

Chapter Objectives: •

26

Using knowledge of Security Gateway infrastructure, including chain modules, packet flow and kernel tables to describe how to perfonn debugs on firewall processes.

FireWall -1 in frastru cture

Fire Wall- I Infrastructure As a st!turity ell:pcrt considering the needs of your organization, you must apply in-depth knowledge of security gateways as you implement them beyond a simple distributed deployment . In order to establish a good framework for troubleshooting gateways in a complell: network topology, you must fully understand the Firewall-I infrastructure. You should recall that fundamentally, Check Point security components are divided into the following components: • GUI clients • Security Management • Security Gateway

GUI Clients SmanConsole applications, such as SmartView Tracker, SmartEvent, SmartReponer and SmanDashboard are ell:ecutable files available for Windows operating systems and most versions of Solaris. These GUJ applications offer the administrator the ability to configure, manage and monitor security solutions, perform maintenance tasks. generate reports and enforce corporate policy in realtime. Check Point periodically releases new ell:ecutables that include updates for these applications, also known as "GUI HFAs". These, however, are not re lated or aligned with Security Gateway HFAs and are considered a separate, unrelated release track.

Management The management component is responsible for all management operations in the system. It contains several different components, such as the management, reporting suite, log server, etc. All ofthc functionality of the management server is implemented in User-Mode processes, where each process is responsible for several operations. The most significant processes are:

• FWM • FWD • CPD

• fWSSD • CPWD (Check Point WatchDog)

R75 Training Manllal

27

Advanced Firewall

Security Gateway The Security Gateway, usually referred to simply as the "Firewall," is the component in the system responsible for security enforcement, encryption/decryption, authentication and accounting. The fun ctionality of the security gateway is implemented both in User· Mode and in the Kernel. As the security gateway is first and foremos t a network device running an OS, it is inherently vulnerable to various network layer attacks. To mitigate this risk and others, some of the firewall functionality is implemented in the OS kernel. This allows the traffic to be inspected before even getting to the OS IP stack.

Security Gateway

Figure 4 -

28

_

... ...-

as Kernel

Check Point Certified Secl/rity Expert

Security Gateway

User and Kernel Mode Processes As administrators trying to debug the firewall, the first observation to make is to decide which Firewall functionality is implcmented in the user space and which is implemented in the kernel. Once you make that distinction, you can decide the best approach to addressing the problem, including which 1001 is the most appropriale to usc.

Security Gateway

_-

.... ...

Figure 5 - Processes

The Firewall- I kernel is responsible for the majority oflhe security gateway's operations, such as security enforcement, encryption/decryption NAT. etc. In order to detect which part of the kernel might be responsible for a specific issue, sian by considering the inner structure of the FW kernel and it's interaction with the OS kernel, the hardware, and other kernel components, such as acceleration. The Kernel mode resides in the lowest possible location. Every packet that goes through the FW is inspected. Whereas in the Network layers, you would not sec all those packets.

29

Advanced FirrNall

The User Mode is actually not mandatory, but it allows the FW to function more efficiently in the application layer. The FW employs scrvices that the OS provides and allows easier inspection of files on open connections . It is possible and, in some cases, required for user and kernel processes to communicate. To allow Ihis, there are two mechanisms: IOctl (Input/Output Controls) and traps. When a kernel process wishes to signal to a user mode process it sets a "trap", i.e., changes a value in a registry key. The user mode process monitoring that flag "stumbles" on the trap and performs the requested operation. When a user mode entity needs to write information to a kernel process, it uses 10cti, which is an infrastructure allowing the entity to call a function in the kernel and supply the required parameters.

The CPO Core Process Chetk Point Daemon (CPO) is a core process available on every C heck Point product. Among other things it allows the following: 1. Secure Internal Communication (SIC) functionality - Ports l8xxx arc used for this communication. 2. Slatus - Pull AMON status from the GWlManagement using SmartEvent. 3. Transferring messages between FW-I processes. 4. Policy installation - Receives the policy (on the aW) and pushes it fONard to relevant processes and the Kernel.

FWM FWM is available on any management product, including Multi-Domain Security Management, and on products Ihal require direct GUI access, such as SmartEvent: • aUIClient communication - This is communication between the Management Server and the GUJclient. • DB manipulation - This includes all actions that arc pcrfonned on the MGMT, such as object crcalion, rules, and users. • Policy compilation - FWM handlcs the policy compilation that is later applied to network tramc during the inspection process. • Management HA sync - The sync management is handled in Management High Avai lability as well as UTM-I hybrid deployments.

30

Security Gateway

FWD FWD allows other processes incl uding the kernel to forward logs to external log servers as well as the Management Server. It is related to policy installation and also used to communicate with the kernel using command line tools such as the fW commands; for example, when sening kernel variables or using kernel control commands

FWSSD FWSSD is a child process of FWD responsible for maintaining the Security Servers. Each Security Server will be invoked according to activated features, such as DLP, and corresponding rules with URI resource, SMTP resource, and authentication. The processes that actually run as the security servers are "in.xxxx".

Inbound and Outbound Packet Flow These processes work on each packet through another process called inspection. To understand how the packets are inspected, consider the firewall kernel more closely. The frrewall 's kernel consists of two completely separate logical parts called the " 'nbound" and "Outbound" representing the process of a packet coming into and out from the firewa ll (respectively):

Security Gateway

Figure 6 -

R 75 Training Manllal

....

_...

Firewall Kemel

31

Advanced Firewall

Each part of the kernel acts independent and docs not assume that a packet was inspected or processed by the other. So, some functionality is implemented both on the inbound and on the outbound. Some key points include: •

Each direction has its own ordered chain of modules (packet processing handlers).

•

Handlers decide whether to continue, tenninate or hold tbe processing of a packet.

•

Inspection is perfonned on vinually defragmented packets.

The inspection process does expect that a packet in the outbound that hasn't visited the inbound first originated from the gateway itself. It is also assumed that a packet not originating from the gateway was inbound.

Inbound FW CTL Chain Modules In the following example, the chain modules are displayed:

Figure 7 -

Inbound Chain

In this figure, we sec the inbound chain, though this is just one example and in different configurations some chain modules will not appear and others might be added. Between different releases, we sometimes add or completely remo ve chain modules, depending on the version specific design decisions.

32

Check Point Certified Sec urity Expert

Security Gateway

Outbound Chain Modules In the following example, chain modules arc disp layed:

FlgtJre 8 -

Outbound Chain

Shown in this figure. the outbound chain shows roughly the same chain modules as seen on the inbound. The most significant difference is that in the inbound, the vpn decrypt and vpn decrypt verify chain modules are seen. This makes sense because you would expect a packet to be decrypted on the inbound. In addition, the outbound chain also has the vpn encrypt chain module in case the packet needs to be encrypted on the outbound.

33

Advanced Flntwall

Columns in a Chain Consider the following chain example: ModulI' l oorion in th e Ch~1n

] -All Padeu fff - All Packets lidenlk .,1 to 3)

Figure 9 - Location of Modules in the Chain

The location of the module in the chain is a relative, serial number to the location of this chain module for this panicular gateway configuration. For example, as in the above the "fw VM outbound" is the 6th chain module. It might be in a different location in other gateway scenarios. The chain position is an absolute number that never changes. In the VPN chapter. we wi ll learn that in wire mode wc do not want the fi rewall to enforce stateful features on a packet. To address conccrns such as this, in the firewall kernel each kernel chain is associated with a key. This key spccifies the type of traffic appl icable to this chain module. For wi re-mode configuration , chain modules marked with "\" will not apply and for statcful mode, the chain modules marked with "2" will not apply. Chain modules marked with "fR"... " ( IP options miplrcstore) and "3" will apply to all traffic.

Security Gateway To try this on a firewall in your lab, run the following command:

fw ctl chain Stateful Inspection Statefullnspection was invented by Check Point, providing accurate and highly efficient traffic inspection. It implements all necessary firewa ll capabilities between the Data and Network layers (layers 2 and 3), but is capable of processing data from layers 4-7 for improved security.

Application

Preseotallon

Application

Presentalloo

5ession

PresentatJon

Transport

Sessioo

Networlc

Transport

Transport

I NS P E

T

N GIN E

PROS • Good 5erurity • FueAppIIca1ioo-layer • High p-.n:.nce • ExtEnsibility • Transparency Figure 10 - Statelul lnspection The inspection engine examines every packet as they are intercepted at the Network layer. The connection state and context infonnalion arc stored and updated dynamically in the kernel tables.

35

Advanced Firewall To review the process flow of the inspectio n engine, review the flow c hart below:

---

Inspection Module

Figure 11 -Inspection Module 1. Packets pass through the NIC to the Inspection Module. The Inspection Mod-

ule inspects the packets and their data. 2. Packets are matched to the policy rule base, one rule at a time. Packets that do

not match any rule are dropped. 3. Logging and/or alerts that have been defined are activated.

4. Packets that pass inspection are moved through the TCPIIP stack to their des-

tination. 5. For packets that do not pass inspection and are rejected by the rule definition,

an acknowledgement is sent (i.e., RST packet on TCP, and ICMP unreachable on UOP).

6. The packets that do not pass inspection and do not apply to any of the rules, are dropped without sending a negative acknowledgement.

36

Kernel Tabte.

Kernel Tables There are dozens of Kernel tables, eaeh storing information relevant to a specific firewall function. Using the information saved in the Kernel tables, very elaborate and precise protections can be implemented. To view all the existing Kernel tables, type the command fw tab -t at the command prompt. To view only the table names and get a perspectivc on the number of Kemel tables available, on SmartPlatform, usc the following command:

fw tab -t

I

grep -ve

~ ____ H

I

more

Note: To view the tables in coreXL, use the following instead of the -I shown above:

-i #eore number Most of the traffic relatcd information is saved in the Kernel tables. (There are is also information stored in htabs, ghtabs, arrays, kbufs , and other devices.) Tables, however, may be created, delcted, modified and read. In particular, consider the Connections table. The connections table is essentially an approved-connections list. The firewall, as a network security device, inspects every packet coming in and out of each interface. After the first packet is matched against the rule base, we need to assume that the returning packet might not be accepted in the rule base. Let's discuss this scenario. Say that we allow 10.10.10.10 to browse to 10.10.10.20 via HTTP in the rule base and drop everything else. The syn packet will match the rule base and pass, but as the Syn-Ack packet comes back with the reversed tuple (source IP 10.10.10.20, Destination lP 10. 10. 10.10) and source port 80 with a "random" destination pon. To mitigate this, for every recorded connection, a matching, reversed - tuple entry is also added to the list of approved connections. Some scenarios such as NAT, data connections and elaborate protocols, such as Vo[P, introduce more complexity to the logic behind maintaining the connections table.

R75 Training Manllal

37

Connections Table To understand more about how the connections table works, let's consider its important features: • Enhanced perfonnance As we saw in the INSPECT module flowchart, the action of matching a packet against the rule base may be very costly (especially if there is a very large rule base w ith dynamic objects and logical servers that need to be resolved). By maintaining the li st of approved connections in the connections table, not every packet is matched against the rule base, thus saving valuable time and computing power. • Allow server replies We noted earlier that sometimes Server to Client packets might not match the rulebase. In these cases, they would be handled by the connections table. • Stateful Features • Streaming based applications (Web security, etc.) Sequence verification and translation • Hide NAT (when the Server to Client packets returning to the firewall might not match the rulebase, need to add explicit entries to the connections table). • Logging, accounting, monitoring, etc . .. Client and server identification • Data connections

38

Check Point Certified Secllrity Expert

KemtITabl ••

Connections Table Format Each new packet is recorded in the table in all available entries. In FireWall-1 vcrsion 4.1 , only onc entry was made to each new connection. Each packet had to go through the connections table severnl times to verify all available types of connection. Today, cach packet goes through a single lookup as all ava ilable entries arc already recorded in thc table. Tep connection (no NAT) example

192.168.4.15 (30235) -" 21 2.150.141-5 (23 )

... ." (real entry) Allow outbound packet5 from the client to the serve!".

_ Allow inbound packets from the server to the client. • s

'

•• _

,~_.

__ • • •

~,

__ .•• _ _ _

Use Smart· Direclory(LDAP) for Security Gateways is checked. 2. Verify that your AU (Account Unit) is configured for user management, i.e., User management is checked on the General lab ofthe AU. 3. Configure the correct SmartDirectory profile. Which LDAP server are you using? Is it one of our supported QPSEC servers? Verify that you r OPSEC LOAP server is supported on http: / /

www . opsec.com/solutions/ sec authentication . html. 4. Check the AU object is configured correctly, i.e., profile, correct branches and administrator ON. 5. Check the LOAP group objects configuration. How did you configure the LOAP groups? If you selected the option: All Account·Unit's Users or Only Sub Tree · the groups defined on the LDAP server are irrelevant Only Group in branch· the group must point to a group on the LDAP server. Is it a dynamic group? 6. Where do you usc authentication? The relevant LOAP groups should be used in the authorizations of the product that uses authentication. For example, when using Endpoint Connect, the user groups should be defined on the RemoteAccess object. Once all the above are configured correctly and you have all the answers you need, obtain the following debugging information:

R75 Training Marl/wi

•

Run TDERROR_ALL_AU .. S on the process that performs the authentication. In this case, it depends on item number 4 above; for example, it would be the vpnd process for Endpoint Connect. Try to authenticate with the problematic user (and with a user that aUlhentieated successfully if you have one), and save the log file.

•

A capture ofa successful and unsuccessful login will help you in investigating the problem, but be sure yo ur AU object is configured not to work with SSL so that you have a clear connection. When you have the capture, try 10 see whieh attributes are being used to query for group membership.

97

Advanced Uaar Management

Common Configuration Pitfalls When troubleshooting SmartDirectory (LOAP) issues, the fo llowing tips are useful to keep in mind as potential causes: • The Use SmartDircetory (LOA P) checkbox is unchecked in Global Properties. • Getting the bind credentials for the LOAP A U is wrong. Incorrect credentials are not flagged at the time the AU is created. • The option, User Management is unchecked on the General tab o f the AU. •

Allowed authentication schemes may be configured on the Sa, but the corresponding scheme is not selected in the AU properties.

• The AUs are assigned to the Sa, but the AU is not selected. •

The LOAP schema is not extended and the AU is not assigned with an authentication scheme. Even if the schema is extended, the authentication schema on the user record could still be undefined. It will remain undefined even though the AU defines a scheme.

•

Tfthe generic template is used and a password is defined on it.

Some LDAP Tools For tools on the firewall, refer to:

• ldapsearch For example: Idapsearch -D cn::ad:ministrator,cn_users,dc . boaz,dc_cam -w zuburll -b cn_users,dc=boaz,dc_cam -h 20 . 20 . 20 . 100 ' (&(objectclass _user) (sAMAccountName=zaza) mobile otherMobile

) '

• 1dapcmd (per process, commands: cacheclear, cachet race, log on/off) • Idapmodify For example: Idapmodify -c -h -D -w -£

98

Check Point Certified Secllritv Expert

Troubleshooting User Authentication and SmartDlrec:tory (LDAP)

Troubleshooting User Authentication A sct of Jibraries in the /CPShared directory is linked to the app lication process. The processes which perform the authentication include:

• fwm - SmanDashboard authentication • vpnd - Remote Access authentication • cvpnd - SSL VPN user authentication • Security ServeI'.> - user/client/session authentications In addition, while the actual authorization is perfonned by the application, the authentication is mostly perfonned by the infrastructure in cpauth. The authentication infrastructure code modules in the chain include: • cpauth The authentication schemes perfonned by cpauth include: Usemame and password (internal database as well as LDAP)

RADIUS SecurlD

TACACS OS password • cpldapcl, ldap • ace5sdk In addition, when examining log entries, search for the following infonnation help with the debugging: •

Usemame

•

Functions: make_au, au _ auth, au _ fetchuser, cpLdapGetUser, cpLdapCheck

10

• After fetch the user's set is printed • Auth stans with au _ auth_ auth, look for the authenticalion result e Often the problem is authorization, not authentication

R75 Training Manllol

99

Advanced U.er Management

Identity Awareness This section devotes attention to troubleshooting Identity Awareness to address a typical network security expert's job task requirements. Advanced User Management must take into account this product because of its importance in controlling corporate resources and increased visibi lity of user activities. Identity Awareness includes these key features: • Configurable access roles - Use the Identity Awareness software blade to easily add users, user-groups and machine identity intelligence to your security defenses. This information is obtained from the corporate directory services. • Multiple user identification methods - Provides multiple me thods to obtain a user's identity; Clientless, Captive Portal or Light Agent. Identity information can be utilized by relevant software blades to apply and enforce user-based policies. • Deployment wizard for fast & simple deploymenl - Adding identity intelligence via the Identity Awareness Software Blade is fast and easy with the built in deployment wizard. In a few steps user, user-group, and machine information can be made available to utilize in policies throughout the security infrastructure. •

Identity sharing - Identity information can easily be shared as required, on a single gateway or across the entire network. In a multiple gateway deployment, such as multiple branches or multiple gateways protecting internal resources, identity can be acquired on one gateway and s hared among all gateways.

Identity Awareness uses IP addresses, normally reserved by the Firewall to monitor rraffic as a means to map users and machine identities. Identity Awareness acquires user identities in several methods referred to as Identity Sources, which include AD Query, Captive Portal, and Light Agent. For troubleshooting purposes, we will focus on two types: • AD Query identifies users logged on to Active Directory without prompting users for installation or credentials. • Captive Portal identifies users by sending them to a Web page for authentication with Active Directory or other LDAP servers.

100

Check Poill/ Certified SeclIriIV Expert

Identity Awarene ••

Once you enable an identity source on the gateway, the gateway will map IP addrcsses in your network to the respective user active for each IP. When traffic arrives from/to the IPs, the gateway will include the user and computer name in the logs. The following infonnation provides somc tips for troubleshooting cases when Identity Awareness cannot identify users in your network, and when traffic logs do not contain user infonnation. The troubleshooting procedure includes: 1. Verifying AD Query Sctup 2. Identifying users behind an HTTP proxy 3. Verifying there's a logged on AD user in the source IP 4. Checking the source computer OS and activating captive panal 5. Using SmanView Tracker for further troubleshooting

Enabling AD Query Once you enable AD Query on a gateway, the gateway will register to the configured domain controllers in order to receive security event logs. By analyzing these logs, the gateway will map IPs on your network to their respective users and computers. AD Query does not detect all users and computers immediately. Depending on the activity in your network, AD Query may take up to a few hours to complete the mapping of users and computers to IPs. To quickly identity a user, lock the user computer, wait a few seconds and then unlock it. This will generate a security event log and mapping of the user name to the IP will take place.

R75 Trai"in1{ Manllal

101

Advanced UHr Management

AD Query Setup In addition to enabling AD Query in your policy, verify that the following conditions are met: • Active Directory event logging is setup. Verify that domain controllers are configured to audit authentication success events. This is the default behavior in AD but may have been cha nged in your organization. In the domain controller Event Viewer, look for the following event numbers: • Windows 2003: events 672, 673 and 674. • Windows 2008: events 4624, 4768, 4769 and 4770. • The LDAP Account Unit is setup. Verify that all domain controllers to which users authenticate are configured in the LDAP Account Unit Servers list. The Security Event log is not synchronized between domain controllers. • The gateway successfully connects to all domain controllers. Use SmanView Monitor to see the status of connections to domain controllers or run "adlog a de" in expen mode on the gateway to see connection status from the gateway to domain controllers. Typical reasons for Jack of connectivity to domain controller: • A fircwalVIPS device en route 10 the domain controller is blocking DCOM (pon 135 or high port used by DCOM). • Check Point Firewall or IPS may be blocking DCOM. See SK 58881 for resolution. •

Non-English user names: To suppon non-English user names, you must set an anribute using dbedit or GuiDBEdit. Set the SupportUnicode attribute to true on the LOAP Account Unit object. The LOAP Account Unit object is found in the Servers table.

• That users reach the gateway and domain controller with the same endpoim IP. Users will reach the gateway with a different IP in the follow ing cases: • When there's a NAT device between the users and the AD domain controller or gateway. • When users connect through a Citrix or Tenninal Server. • When many users authenticate to one server such as Outlook Web access server.

102

Check Point Certified Security Expert

Identity Awareness

Users connecting behind NAT or via Citrix or Terminal Servers arc not supported. When AD Query detects 7 or more users on the same IP, Ihis IP is disregarded.

Identifying users behind an HTTP proxy tfyou r organization uses an HTTPproxyserverpositionedbetweenusersand the Security Gateway, logs will show the proxy as their source IP address and will not show the user's identity. For Application Control, the gateway can use the XForward-For HTTP header, which is added by the proxy server, to resolve this issue. To use X-Forwarded-For HTTP header with Application Control: 1. Configure your proxy server to use X-Forwarded-For HTTP Header.

2. In SmartDashboard, on the Idenlity Awareness page of the gateway objcct,

check " For Application Control blade, detect users located behind HTTP proxy using X-forwarded-For header". 3. Install the

policy.

Verifying there's a logged on AD user at the source IP Once you verified the conditions in ;'AD Query Setup" are met, the next step is to verify that the computer on the IP in question is a domain computer and there's a user logged on. To verify that the source IP is indeed of an AD user: 1. Verify the computer is a domain member. From a computer in the domain, try to access the C$ share on the source IP. For example, using the Start>Run command, enter \ \10.0.0. 1 \C$. When prompted for credenlials, enter a domain administrator credentials. If you successfully opened the C$ share it means this is a domain computer. 2. Verify that there's a user logged on. Use a WMI tool such as WM I Exp lorer to remotely connect to the IP and query for thc user name.

R75 Traiffinf{ MOll/lal

103

Advanced Ua.r Management

Checking the source computer

as

If you cannot connect to the source IP C$ share or with WMJ Expl o rer, it is likely that this IP is a computer that is not a member of the domain _ II is also possible but less likely, that thi s IP is a domain computer but RPC and WMI traffic is blocked in your network or on the target computer. To help detennine the OS at the JP, use remote endpoint profiling to ols such as nmap to detect the as. For example run "nmap -A 10.0.0 . 1." to detect the OS on this IP:

FIgure 3 -

nmap Example

If this is not a Windows computer, turn on the captive portal on the gateway so that Web traffic will be intercepted and the user will have to authenticate. (The AD Query identifies computers logged on the domain.)

104

Check Point Cerlified SecllrilV E:wert

Identity Awarene ••

Using Smartview Tracker When you've verified that the source IP belongs to an AD user and the conditions described in "AD Query Setup" arc met, but traffic logs still don't contain this user, you can track thc Identity Awareness Login Activity in order to further troubleshoot the cause. 1. Opcn SmartView Tracker Identity Awareness Login Activity view. 2. Search for log records from the source IP that's missing in logs. Login logs (green door) and Logout logs (grey door) will be displayed. 3. Follow the steps below to find the possible cause of the missing users: - If you see no Login logs, try searching in log files that have been switched already (SmartView Tracker will open the active log files). If you still see no logs, it means that AD Query failed to identify the user and you should contact support. - If you see Login logs and AD Query runs on a different gateway (not the one that generated the traffic log), verify that identity sharing is configured correctly in the Identity Awareness properties. -In the Identity Sharing properties of the gateway that generates the logs, verify that it gets identities from All sharing gateways Of spcrifically from the gateway that runs AD Query. In the Identity Sharing properties of the gateway that runs AD Query, verify that Share local identities with other gateways is checked. If you sec Logout logs despite the fact that the user was active in the duration following the Login log, Iry to increase the AD Query association time-out. This time-out is to hours by default but ifit's lowered, users will be detected as logged out soonef. (When using AD Query, Logout oceurs when no security event logs are Cfeated for a user fo r 10 hours by default). - If you sce a Logout log oflhe user followed by a Login log of a different user on the same IP, then it's possible that there is a Windows service that logs on with a user account. By default, AD Query will aggregate the 2 or more users on the IP unless you checked the Assume that only one user is connected per computer option, in which case the service will cause the user account to be logged oul. To deal with this scenario, enter the account used by the service in the Excluded Users/Machines list found in AD Query Advanced Settings.

R75 Training Manual

105

Advanced User Management

Practice and Review Practice Lab Lab 4: Configuring SmartDashboard to Interface with Active Directory

Review Questions 1. What objects make up an Organizational Unit container?

2. What does an LDAP Schema do?

3. What long does it take for an AD Query to map users and computers to IPs?

4. If you cannot connect to the souree IP C$ share or with WMI Explorer, what is the likely cause?

106

Check Point Cerlified Security Experf

-CH-AP-T-ER-S- -

R75 Training Manual

Advanced IPsec VPN and Remote Access

107

Advanced IPsec VPN and Remote Access

Chapter 5 - Advanced IPsec VPN and Remote Access Check Point's VPN Software Blade is an integrated software solution that provides secure connectivity to corporate networks, remote and mobile users, branch offices and business partners. The blade integrates aceess control, authentication and encryption to guarantee the security of network connections over the public Internet.

Objectives • Using your knowledge of fundamental VPN tunnel concepts, troubleshoot a site-to--site or certificate-based VPN on a corporate gateway using IKEView, VPN log files and command-line debug tools.

108

•

Optimize VPN performance and availability by using Link Selection and Multiple Entry Point solutions.

•

Manage and test corporate VPN tunnels to allow for greater monitoring and scalability with multiple tunnels defined in a community incl uding other VPN providers.

Check Point Certified Secllrity Expert

Advanced VPN Coneeptland Practices

Advanced VPN Concepts and Practices As a network security expert, working with VPNs is fundamental to your typical tasks and job responsibilities, requiring an in-depth working knowledge of VPN technology and concepts. This chapter assumes a basic comprehension of encryption, cryptography applications (algorithms and hash methods), and configuration of site.to-site VPNs using either pre-shared secrets or C ertificates.

IPsec IPsec is an open standard protocol suite for secure IP communications using authentication and encryption techniques on IP packets. The following are used to perform various functions: •

AUlhenticalion Headers (AH) - provide connection less integrity and data origin authentication for LP datagrams, and provides protection against replay attacks. AH was supporcd in some legacy Check Point products.

•

Encapsulating Security Payloads (ESP) - provides confidentiality, data origin authentication, connection less integrity, an anti-replay service, and limited traffic flow confidentiality.

•

Security Assoclalions (SA) - though not a protocol, this data structure provides the bundle of algorithms and data that arc the parameters necessary to operate the AH andlor ESP operations.

Internet Key Exchange (IKE) It is the Security Associations that provides the set of algorithms and data that establish the parameters to use AH and ESP. The SA provides the necessary framework for authentication and key exchange, so that the actual Internet Key Exchange (IKE) protocol can provide the authenticated keying material. The encrypted traffic flows unidirectionally, so a pair of SAs is required to fonn a tunnel that is bidirectional. IKE negotiation consists of two phases, Phase I (Main mode), and Phase 2 (Quick mode). The ncgotiation process in both modes ean be observed in ike. e1g with an internal Check Point utility called IKEview. We will cover guidelines for analyzing ike. e1g, and instructions for collecting ike. e1g and vpnd . e19 data. This section discusses only IKEv l and not Aggressive Modc. While Aggressive Mode is preferred by some third pany gatcways, its use is discouraged for Check Point configurations unless required in your production environment.

R75 Traininf! Manllal

109

Advanced IP.ec VPN and Remote Acceaa

IKE Key Exchange Process - Phase 1 Troubleshooting a VPN requires an understanding of the process of ereating a VPN tunnel. The following is the IKE ex:ehange process. Phase 1 (Main mode) negotiates encryptio n methods, Q.e. AES. 3DES, etc.), the hash algorithm (S HAI and l\IDS), and est:1btishes a key to protect messages ofan ex:change. The rollowing describes the stages orthe Phase I process: • Stage I : Peers negotiate algorithms, authenticalion methods, and DiffieHellman (DH) groups. • Stage 2: Each gateway generates a DH private kcy and public keys and calculate the shared keys. • Stage 3: Peers authemicate using the certificate or PSK. Eaeh side generates a symmetric key. based on the DH key and key material is exchanged between sides.

110

Check Point Certified SeclIrirv Ewert

Advanc.d VPN Conc.pts and Pnlctlces

Example The IKE exchange uses six packets for Phase I (Main mode) and three packets fo r Phase 2 (Quick mode): For Main mode packet I, the initiator 172.24.1 04.1 provides the following information: •

Encryption algorithm: AES-CBC

• Key length: 256 bit Hash algorithm: SHA 1

•

Authentication method: pre-shared key

~

•

.. _ _ - . _ ..... _ B _ _

..-. . 1!\ '

a _. . . . . .

.. _-_ _ 0 :O~

. ....o~

••, _

_ ' ......I .... :m;_"Z>III I.1tZU.

Figure 2 - Packet 2

2. Packets 3 and 4 perform key exchanges and include a large number never used before, called a nonce. A nonce is a set of random numbers sem to the other pany. signed and returned to prove the pany's identity. These two packets are not generally used in troubleshooting a key exchange with IKEvicw.

5 """' _ _ "'...... .

lOO!'_ "11.0111. " ttOil

1I "'_~ lI"121Q

•-

1l " ' _"II" 121Q 1I "' "",""II"121Q

-

Ij "'--' I"~ . ......... In · Z>~

........... "..,2l1li

• '. _ _ _ ...... _.,..,._" 12011 1. " " .

-..

• " "....

.... c ... , . . . . . . . . ,. ....

............................. '"

...........................

. , . . . . . . . . . . . . . . . . •. . . . . . . . . M

............................. ............. _.......... . "' . . . . . . d . . . . . . U . . . . . . . . . . .

.. n ........................ ..

u .. ., . . . . . .

Figure 3 -

112

1-1

Packets J and 4

Check Point Certified Serllrirv P. ... m>rt

Adv.nced VPN Conc.pts and Practices

3. Packcts 5 and 6 perform authentication bctwcen the pcers of the tunnel. The peer's lP address shows in the 10 field undcr MM packet 5: ... 1lIt _

'!Ui!I

_

. ..

_

~. ':!:llJ

... e.c - .... "" .. ...... _ _ _ ..... _ ..... ....... _ In· u lDI • ' 121< "'"

_

"

z>lD ' ~

' n: H.

'~. "'IDI

._.... . _• -.....M,'.UOOI>"'''''''' _F_ 'U' IlI,. "UIII ..... -...In· u lDI

-

n · u", ~ ", _ _ ·, n'

-__-.... . •

...

lUI

........

~

,

- _ ·.... ;·1 .. '" .. III

,,'1.... I.Q.1.)

11" _

,,..

..... '

___

Figure 4 -

"".~

Packets 5 and 6

4. Packet 6 shows the peer has agreed to the proposal and has authenticated the initiator:

--- _

li e.( ~ ",

8 11U< ' OO '

........._- , "'.,.,,"'.

"'·... _ .. ,n. u... '''·... -...In· uCQ • · .... -.,. 11" 2 _

-•

M>"'...... _ ,_ "".'... I.UD

, ... >t. ... , _ _ _ •• , .......

Figure 5 -

R75 Training Manual

Packet 6

-

11 3

Advanced IP.ec VPN and Remote Ace •••

In Phase 2, the IPsec Security Associatio ns (SAs) are negotiated, the s hared-secret key material used fo r security algorithms is determined, and an additional DH exchange occurs. Phase 2 failures are frequently due to a misconfigurcd VPN Domain, which could include omitted objects, duplicated objects or choosing all lP addresses behind the Security Gateway. Typically, Check Point recommends a manually defined VPN Domain, which includes all network objects that will participate in the VPN communication.

Phase 2 Stages Phase 2 can be broken into the following general stages: •

Peers exchange more key matcrial, and agree on encryption and integrity methods for IPSec.

• The DH key is combined with the key material to produce the symmetrical IPSec key. e

Symmetric IPSec keys are generated.

The follow ing steps detail the Phase 2 stages: 1. Packet 1 proposes either a subnet or host 10, an encryption and hash algorithm, and 10 data:

_--

.-

,.,

B _'1'A01 0_""'U Sl' ... .. " .. 1

Ll....

.. Ia< 1. • . nu . Ia IPSec VPN > Link Selection. For more details about these settings, refer to the R75 VPN Administration Guide.

Link Selection is only applicable to locally managed VPN peers, such as Endpoint Connect users, or other gateways confi gured for VPN traffic as long as they arc managed centrally by the same Management Server or CMA (see MultiDomain Security Management).

11 8

Check Point Cenified Security Expen

Remote Access VPNs

If the link is set to the wrong IF address, VPN connectivity configured for a remote site can be damaged, unless it is configured to "auto-probe". For example, assume a client creates a site with the extemallP address of the gateway. During the creation process, the topology is downloaded, including the link selection IP, which was set to the internal interface of the gateway_ From that point, the client will attempt to establish a tunnel with the IP address set in the Link Selection settings (the internal IP address), instead of the pre-configured external lP selected during site creation. In this case, the connection to the site will most likely fail.

117; Trnil/jl/p Mal/lInl

11 9

Advenced IP••c VPN and Remote Acce ••

Multiple Entry Point VPNs If a single gateway provides access to internal resources for remote VPN connections, then access to valuable resources to remote users is vulnerable should the gateway become unavailable. A Multiple Entry Point (ME?) sol ution was devised to provide an HA solution for V?Ns. However, unlike Clustercd gateways: • MEP VPNs are not restricted to the location of gateways. • ME? Security Gateways can be managed by separate Managemem Servers. • There is no stale synchronization nceded between gateways. If o ne MEP gateway fail s, the current connection is lost, but another MEP gateway picks up the next connection . • The VPN client selects which Gateway site will take over the connection should the first fail; clustered Gateways make the selection themselves in a ClusterXL deployment.

How Does MEP Work MEP VPNs usc the proprietary Probing Protocol (PP) to send special UDP RDP packets to port 259 to discover whethcr a location (lP) is reachable. It is used by the peer to continuously probe all MEP Security Gateways. The probe wi ll indicate if a gateway is available or not. In this way, each MEP gateway shares its status with the others, and updates each should conditions change.

Explicit MEP Only Star VPN Communities using more than one central Security Gateway can be defined expl icitly as MEP VPNs. This is the recommended method. Explicit MEP VPNs can be configured to have the entry-point Security Gateway chosen eithcr by: • Sclecting the closest gateway to the source (First to respond) • Selecting the closest gateway to the destination (By VPN domain) • Sclecting randomly (for Load distribution) • Selecting from a priority list (MEP rulcs)

120

Multlp'- Entry Point VPNs

Implicit MEP If fully or panially overlapping encryption domains exist, or where primary or backup gateways are configured, then the MEP VPNs can be implicitly defined. Implicit MEP VPNs can be configured to have the entry-point Security Gateway selected either by: •

First to respond - When no primary Security Gateway is available, all gateways have equal priority, and the fi rst gateway to respond to the probing RDP packets gels chosen as the entry point. Usually, that means the gateway closest 10 thc remote VPN peer in proximity.

•

Primary-Backup - If the primary Security Gateway fails, VPN connectivity is made to go through the backup gateway.

•

Load Distribution - If all the Security Gateways share equal priority and the same VPN domain, the traffic load can be distributed so that the connections are shared evenly between all the gateways.

For remote access MEP VPNs. each c1icnt must usc Office mode and assigncd its own pool of addresses. lf the clients arc connected via a routing backbone, then each pool must be routed to the appropriate site. If the client is connected via siteto-site, then il needs to be included in the encryption domain of each gateway.

R 75 Trainine Manllal

12 1

Advanced IP.ec VPN and Remote Acce••

Tunnel Management There are two types ofVPN tunnel management: •

Permanent Tunnels - This feature keeps VPN tunnels active, allowing realtime monitoring capabilities.

•

VPN Tunnel Sharing - This feature provides greater interoperability and scalability between Gateways. It also controls the number of VPN tunnels created between peer Gateways.

Permanent Tunnels As companies have become more dependent on VPNs for communication to other sites, uninterrupted connectivity has become more crucial than ever before. It is essential to make sure VPN tunnels are kept up and running. Permanent Tunnels are constantly kept active, and as a result, make it easier to recognize malfunctions and connectivity problems. Security Administrators can monitor the two sides of a VPN tunnel, and identify problems without delay. Each VPN tunnel in a Community may be set to be a Permanent Tunnel . Since Pennanent Tunnels are constantly monitored, if a VPN tunnel fails for some reason, a log, alen, or user-defined action can be issued. A VPN tunnel is monitored by periodically sending tunnel-tcst packets. As long as responses to the packets are received, the VPN tunnel is considered "up". Ifno response is received within a given time period, the VPN tunnel is considered " down". Permanent Tunnels can only be established between Check Point Gateways. The configuration of Permanent Tunnels takes place on Community objects. There arc three options to configure a Permanent Tunnel :

122

•

For the entire Community Community as permanent.

this option sets every VPN tunnel in the

•

For a specific Gateway have Permanent Tunnels.

•

For a single VPN tunnel - this feature allows con figuring specific tunnels between specific Gateways as permanent.

usc this option to configure specific Gateways to

Check Pnilll Certified Serurirv F.nwr,

Tunnel Management

Tunnel Testing Tunnel Test is a proprietary Check Point protocol that is used to test w hether VPN tunnels arc active. A tunnel-test packet has an arbitrary length, w ith only the first byte containing meaningful data - the type fiel d. The type field can take any of the following values: e

I - Test

• 2 - Reply e 3 - Connect • 4 - Connected Tunnel testing requires two Gateways, one configured as a " Pinger" and one as a "responder". The Pinger Gateway uses the YPN daemon (vpnd) to send encrypted tunnel-testing packets to the responder Gateway. The responde r Gateway is configured to listen on port 18234 for special tunnel-testing packcts. The Pinger sends type I or 3. The responder sends a packet of identical length, with type 2 or 4 respectively. During the connect phase, tunnel testing is used in two ways: e A connect message is sent to the Gateway. Receipt ofa connect message is the indication that the connection succeeded. Connect messages are retransmined for up to 10 seconds after the IKE negotiation is over, ifno response is received. •

A series of test messagcs with various lengths is sent, so as to discovcr the Path Maximum Transmission Unit (PMTU) of the connection. This may also take up to 10 seconds. This lest is exceuled to ensure that TCP packets that are too large are not sent. TCP packets thai are too large will be fragmented and slow down perfonnance.

VPN Tunnel Sharing Since various vendors implement IPSec tunnels in a number o f different methods. Administrators need to cope with different means o f implementing the IPSec framework.. VPN Tunncl Sharing provides interopcrability and scalabi lity, by controlling the number of VPN tunnels created between peer Gateways. There arc threc available settings: e O ne VPN Tunnel per each pair o f hosts e One VPN Tunnel per subnct pair •

R7'5 Trainill" Manual

O ne YPN Tunnel per Gatcway pair

123

Advsnced IPuc VPN and Remote Access

Tunnel·Management Configuration Tunnel management is configured in the community object:

P" S.. " - - " T _

r.o.. ..

_~

.... _

rDlo .. _,. . . . ~

r: 0. _ _ _ _ .... - . .

r_._

r;

~ _ _ _ _ "".,,=.;;===~

1P..c.-::J

T........... - .

ILog

::::J

...".t.t.oI r........."'"""' ....-otJPM _ _ _ _ G_ rr.Ont Ont~ I*"""" _ ........ __ _... ...oI_ r Ont _ _

I*~_r*

.. Figure 11 -

124

Tunnel Management

rhp:r.k P()inf r:prfifif'r/ S,.r urirv Frnprf

Tunnel Management

Permanent-Tunnel Configuration To set VPN tunnels as pennanent, select Set Permanent Tunnels. The following Permanent Tunnel modes are then made available: •

On a ll tunnels in the community

e On all tunnels of specific Gateways e On specific tunnels in the community To make all VPN tunnels permuneO! in a Community, select On all tunnels in the community. To make all VPN tunnels of specific Gateways permanent, select On all tunnels of specific Gateways. Select the specific Gateways you want, and all VPN tunnels to the specific Gateway will be set as permanent. Tracking options can be confi gured for specific Gateways' VPN tunnels in the Gateway tunnels properties screen. Use Community Tracking Option as the default setting. You can select specific tracking options: To configure specific tunnels in a Community to be permanent, select On specific Tunnels in the community. Click the Set Permanent Tunnels bulton. For example, to make the tunnel between Remote-l-gw and Remote-3-gw permanent, click in the cell that intersects Ihe Remote-l -gw and Remote-3-gw where a pennanent tunnel is required. 1. Click Selected Tunnel Properties 10 display the Tunnel Properties screen: 2. Click Select these tunnels to be permanent tunnels. 3. Click OK.

Tracking options Several types of alerts can be configured to keep Administrators up-lo-date on the status ofVPN tunnels. Tracking settings can bc configured on the Tunnel Management screen of the Community Properties window for all VPN tunnels, or they can be sct individua lly when configuring the permanent tunnels themselves. The different options arc Log, Popup Alert, Mail Alert, SNMP Trap Alert, and User Defined Alcrt. Choosing one of these alert types will enable immediate identification of the problem and the ability to respond to these issues more effectively.

R75 Tra;nin{! Manual

125

Advanced IPHC VPN and Remote Acce ••

Advanced Permanent-Tunnel Configuration Several attributes allow for customization of tunnel tests and intervals for pcnnanent tunnels: 1. In SmartDashboard, select Global Properties > SmartOashboard Customization. 2. Click Configure. The Advanced configuration screen is displayed. 3. Click VPN Advanced Properties > Tunnel Managemenl to view the fi ve attributes.

VPN Tunnel Sharing Configuration VPN Tunnel Sharing provides greater interopcrability and scalability, by controlling the number ofVPN tunnels created between peer Gateways. Configuration ofVPN Tunnel Sharing can be set on both the VPN commun ity and Gateway objects. Tunnel Sharing is configured using the following settings: • One YPN tunnel per each pair of hosts; A VPN tunnel is created for every session initiated between every pair of hosts. •

One VPN tunnel per subnet pair; Once a VPN tunnel has been opened betwecn two subnets, subsequent sessions betwecn the same subnets will sharc the same VPN tunnel. This is the default setting, and is compliant with the IPSec industry standard.

e

One VPN tunnel per Gateway pair; One VPN tunnel is created between peer Gateways and shared by all hosts behind each pecr Gateway.

If there is a conflict between the tunnel properties of a YPN Community and a Gateway object that is a membcr oftha! samc Community, lhe "stricter" setting is used. For example, a Gatcway object that was SCI to one VPN Tunnel per each pair ofhosls, and a community objcct that was selto one VPN Tunnel per subne! pair, VPN sharing, will use one VPN Tunnel per each pair of hosts.

126

Check Point Certified Securitv F..xnert

Troubleshooting

Troubleshooting The first step in troubleshooting a VPN tunnel and lKE negotiation is to ensure packets destined for the VPN tunnel from the peer arrive at the Securi ty Gateway, and vice versa. The SmartView Tracker log is a good way to confinn that IKE packets arrive at the Gateway.lftherc are no messages in SmanView Tracker, fw moni tor is helpful for confinning if IKE packets arrive and leave the Gateway. Once you verify IKE packets arrive at both sides, run a debug for IKE traffic with the vpn debug on command. Generate some traffic from your VPN Domain to the peer's VPN Domain. If the ike . elg file does not contain useful information, an invalid runnel may have been initiated previously, and it is necessary to remove related SA keys from the table. Use the vpn tu command to remove site-to-site IKE and/or IPSec keys and initiate traffic across the tunneL This should place useful information into ike . elg. In the new ike. elg file, if you can identify on which packet the IKE negotiation fails. you can check relevant configuration parameters and correct accord ingly. Also, look al the vpnd. elg file. This file contains useful information about other crrors that might have occured on the VPN tunnel establishment process.

R75 Traininf! Manila/

127

Advlnced IP.ec VPN and Remote Ace...

VPNDebug

vpn debug Command Thc command vpn debug contains multiple utilities for troubleshooting VPN issues. The following lists all options for the command: vpn debug < on [ DBBUG TOPIC.level] I off I ikaon - 8 size (Mb) ] I ikeoff I trunc I truncon I truncoff I timaon [ SBCONDS 1 I tim.off I ikefail [ -8 siz. (Mb) ] I mon I moff > Run -help on the command to sec a description of all the parameters. Below, you can find details on some specifi c options of the vpn debug command.

128

Check Point Certified Secllritv Exvert

VPN Debug

vpn debug on I off vpn debug on ~ Tum on vpn debug, and write the output t o the following file: vpnd. elg vpn debug on [debug topic]. (debug levell sets the specified TDBRROR topic to the specifi cd level, without affecting any other dcbug settings. This may be used to rum specific topics on or otT. vpn debug on TDERROR_ALL_ ALL.I, 2 , 3,4,5 turns on dcfault VPN debugging, Le., all TDERROR output and default VPN topics, without affecting any other debug settings. vpn debug off -Disable vpn debug.

vpn debug ikeon I ikeoff vpn debug ikeon - Tum on ike debug and write the output to the following file : ike. elg vpn debug ikeoff -

Disable ike debug.

vpn Log Files The ike. e1g file contains infOlTIlation about the negotiation process for IKE encryption . The vpnd. a1g contains verbose infonnation regarding the negotiation process and other encryption failures. VPN debug logging is enabled using the vpn debug on command . The output of the debugging commands writes to two different locations. depending on what is being debugged: • IKE debugging is written to $FWDIR/ log/ ike. e1g. •

VPN debugging is written to $FWDIR/ log /vpnd. alg.

vpn debug trune When the vpn debug on command runs, the output is written to

$FWDIR\log\ vpnd. elg file by default.

R75 Train illl( Manual

129

Advanced IPuc VPN and Remote Access

VPN Environment Variables Setting environment variables to enable logging should only be performed in circumstances where VPNs are failing. The following are the commands 10 enable the variables: •

Windows -

•

Unix -

setVPN DEBUG=l

set VPN DEBUG 1

In previous versions, Check Point recommended setting the environment variables to enable VPN debugging. As of VPN·1 NGX, vpn debug on the preferred method. Setting the environment variables is recommended as a method for debugging, only if there is a VPN tunnel failure .

IS

vpn Command The vpn command displays and controls various aspects ofa Gateway. The following table lists other options for the vpn command that can be useful when troubleshooting/debugging a VPN related issue:

I

command ;-:-_

:>- .,,-

DescrIption

'0' _

vpn crt_zap

Erases all CRLs (Certificate Revocation L ists) from cache

"pn crlview

Debug£ing 1001 for eRLs

vpn runncltuil

Displays a list of options to manage a VPN tunnel session; vpn tu can be used to stop all VPN or individual runnels.

vpn ru vpn drY

Attaches the VPN driver to fw driver; sening vpn drv to off will tear down all existing VPN tunnels, so caution sho uld be used with this command. When vpn drY is sct to on, all VPN tunnels are renegotiated beginning at IKE Phase I.

vpn ver {-kJ

Displays VPN version

vpn aeeel

Displays operations on VPN Accelerator Card

vpn compstat

Display compression/decompression statistics

vpn compreset

Resets compression/decompression statistics

vpn export....r 12

Tool to export p l2 from Gateway Certificate

I

TABLE I: vpn Command Options

130

Check Point Certified Security Exvert

VPN Debug

vpn tu The command vpn tu is short for vpn tunnel uti 1, and is useful for deleting IPSec or IKE SAs to a specific peer or user without interrupting other VPN activities.

Comparing SAs The following is a quick process to verify that you and a potcntial VPN partner are configured correctly: 1. Enable VPN debugging on both your site and your partner's site w ith vpn debug on trunc. 2. Use vpn tunne1uti1 (vpn tu) to remove all SAs for either the peer with whicn you are about to create the tunnel, or all tunnels. 3. Have your peer initiate the tunnel from its site to yours. 4. Use vpn tunneluti1 (vpn tu) to remove all SAs for either the peer with which you arc about to create the tunnel, or all tunnels. 5. Initiate the tunnel from your site to your pecr. s. Disable debugging on both sites. 7. Examine ike. elg and vpnd. elg, as they will now contain records of the SA sent by your gateway, as well as what was received from your partner site.

R75 Training Manual

13 1

Advanced IPsec VPN and Remote Access

Examples You have several site-Io-site VPN tunncls among Gateways. You want to rcmove the IKE SAs for a particular peer, without interrupting the other VPNs. How do you do that? Run vpn tu from the Gateway Command Line Interface, and select delete all IPSec and IKE SAs for a given Peer (GW) option.

VPN Encryption Issues A typical issue with encryption is when Quick mode packet I fails with error "No Proposal Chosen" from the pcer. This failure is usually caused when a peer does not agree to the proposal fields, such as encryption strength or hash. A Security Gateway agrees loosely to the proposal, when it is host or network-based. Thirdparty vendors sometimes only agree to these proposals with strict adherence to defined parameters. Another common problem is when a Security Gateway proposes a supemetted network address as the VPN Domain to a Cisco Concentrator (or other vendor) in phase 2. The Cisco device only agrees to a VPN Domain that matches its network address and subnet mask. This issue is known as the Largest possible suboet problem. Here are some troubleshooting steps for this issue: •

Check the Shared Tunnel settings in the Tunnel Management section ofthe VPN community. Make sure both sides agree on either host based or subnet based. Interoperable devices do not support the Gateway to Gateway option.

•

In GuiDbedit, change the following property to false. ike_ uscUa.-gestj)ossible_suboet This will prevent Check Point from supemctting networks in the VPN domain. The subnets defined in the network object should be used.

• Check for multiple network objects in the VPN domain that overlap. For example, I0.I.l.1I24 and 10.0.0.018 arc both in the VPN domain. It is possible that a packet sourced from 10.I.x.x will usc 255.0.0.0 for the subnel in phase 2 instead of255.255.255.0. •

In some cases, particularly when network ovcrlaps exist in the VPN domain, it is still required to modify the user. def file. See SecureKnowledgc solution skl9243 and sk30919 on Check Point's Web site: https://usercenter.checkpoint.com/support

132

Check Point Certified Securitv Exnert

VPN Debug

Example 1 Assume you have a site· to-site VPN between two Check Point Security Gateways. They are managed by their own Management Servers. You see a lot of IKE Phase 1 failures in Smart View Tracker. You run IKE debug on one Gateway and discover only one packet in Main mode is transferred. There is no packet in Main mode after packet I. What might have caused this problem? First, check VPN settings (including Encryption Algorithm, key length, and Hash method) in the Community object. Make sure Phase I settings arc identical on both sides. Also check Phase I settings in the Advanced settings in the Community object, such as group I or group 2, aggressive mode. etc. They must be defined idenlically on both sides.

Example 2 You are confi guring a site· to-site VPN from a Check Point Security Gateway to a Cisco device. You see that traffic initiated from the VPN Domain inside the Security Gateway is dropped with the error, " Packet is dropped as there is no val id SA". The C isco side is sending " Delete SA" to the Security Gateway. The IKE debug indicates a Phase 2 (Quick mode) failure. What is causing the misconfiguration? A Quick mode failure usually indicates the VPN Domain is not configured exactly the same for one or both peers. For example, if the Security Gateway's VPN Domain is a Class 8 network. but the same network is defined with a Class C subnet mask on the Cisco VPN configuration. then Ihis type of error occurs.

R75 TraininR Mallual

I II

Advanced IPsec VPN and Remote Acce ••

Practice and Review Practice Labs Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates Lab 6: Remote Access with Endpoint Security VPN

Review Questions 1. What arc the stages ofa Phase 2 IKE exchange?

2. What is the advantage of Link Selection for VPN traffic?

3. What type of VPN communities elln be explicitly defined as MEP VPNs?

4. Quick mode packet I fails with error "No Proposal Chosen" from the peer. What is likely the cause?

134

Check Point Certified Secllrirv Exnert

CHAPTER 6

R75 Training Manual

Auditing and Reporting

\35

Auditing end Reporting

Chapter 6: Auditing and Reporting The Smart Event Software Blade turns security information into action with realtime security event correlation and management for Chcck Point security gateways and third-party devices. SmartEvent's unified event analysis identifies critical security events from the clutter while correlating events across all security systems. Its automated aggregation and correlation of data not only minimizes the time spent analyzing log data but also isolates and prioritizes the real security threats. The SmartReporter Software Blade centralizes reporting on nctwork, security, and user activity and consolidates the data into concise predefined and custombuilt reports. Easy report generation and automatic distribUlion save time and money.

Objectives

136

•

Create Events or use cltisling cvent definitions 10 generatc rcports on specific network traffic using SmartReporter and SmartEvent in order to provide industry compliance information to management.

•

Using your knowledge of SmartEvent architecture and module communication, troubleshoot report generation given command-line tools and debug-file information.

Check Point Certified Secllrity Expert

Auditing and R.portlng Proce••••

Auditing and Reporting Processes From the standpoint ofa network or security administrator, their role is completely guided by processes and procedures, and the necd to document any changes implemented on the corporate network. In order to be compliant wi th industry standards, and corporate mandates, this documentation is a c rucial part of an administrator's job. Corporate governance, and the importance of efficient auditing and reporting which takes place throughout the lifecycle ofcomplianee regulatory practices is important.

Auditing and Reporting Standards The Sarbanes-Oxley Act of 2002 outlines nine audit policies for IT compliance checking. They ensure suspicious activity and system breaches are kept in-check by alerting corporate officials of potential threats. They include: •

Account logon

•

Logon

•

Account Management

•

Poliey Change

•

Process Traeking

• Object Access •

Privilege Use

• System Events •

R75 Trainint! Mallual

Directory Service Access

137

Audttlng and Reporting

Implementing these audit policies produces detailed records for the following IT security aspects according to the Sarbanes-Oxley Act. •

Password changes

•

Changes to access rights to shares, files, folders, etc.

•

Attempts of unauthorized access to computer system resources.

•

Attempts of unauthorized access to information held in application systems.

•

All internal system activity including logins, file accesses and security incidents.

•

Produce and retain logs recording exceptions and security-related events

•

Any attempts of unauthorized changes to IT systems.

•

Key system files and critical data for unauthorized changes.

•

Changes 10 Active Directory permissions for user accounts, groups and computer accounts.

•

Unauthorized Active Directory access permissions.

•

Any changes to users, groups, rights, and user account policics.

•

Notifications of group policy changes.

•

A uthorized users attempts to perform unauthorized activities.

•

Permission changes in Active Directory.

•

User information, access information, date and time stamp.

•

Real-time policy modifications.

•

Last accessed dates for files and applications.

Check Point's reporting tools generate thousands of events which include detailed log information. The automated processes SmartEvent and SmartReporter provides a way to ease the workload of filtering all this raw material to come up with a concise breakdown of meaningful data.

13R

Check Point Certified SeclIrirv F.xnArt

$martEvent

SmarlEvenl SmartEvent is a management Software Blade that uses netWork security information with real-time security event correlation and management for Cheek Point Security Gateways and third-party devices. SmartEvent's unified event analysis identifies critical security evcnts from thc cluttcr of data, while correlating events across all security systems. Its automated aggregation and correlation of data minimizes the time spent analyzing log data, and a lso isolates and prioritizes thc real security threats .

._... _....._-_.-

-.. ~

~ ---~ ~

-_ _....u ·.-_ ........ - ........ ..... -...... .. ~

- ,.p • . -

"

••".. ~, ..

"' _,," __ . ..., _ _ "N

" .... j. : ; : : ; __ ."u

... .. " ~

........ 4'·

- . -- .~

0_

_. ___ o _-

__

-~ -

Figure 1 - SmartEvent

Thc full SmartEvcnt Softwarc Blade ean monitor events for all Cheek Point products and third party dcvices. It includes pre-defined queries and event dcfin itions for firewall, VPN , Endpoint Seeuriry, IPS, DLP, Identity Awareness and Application Control.

R75 Training Manllal

139

Auditing and Reporting

SmartEvent is available as a software blade or an appliance. The following management software blades are bundled in each Smart Event appliance: • SmartEvent • SmartReporter •

Logging and Status

As pan of the Software Blade architecture, the original Eventia Analyzer product name was changed to Event Correlation Software Blade. The Eventia Correlation Software Blade is renamed to SmartEvent Software Blade to better represent the product's unique value proposition.

SmartEvent Intro The SmartEvent lntro Software Blade provides centralized, real-time, security event correlation and management for a single Check Point Security Software Blade. For example, you could purchase the Smart Event Intro Software Blade for either IPS or DLP event management. The full reporting capabilities are a part of the SmartReporter Software Blade (which is bundled with the full SmartEvent Software Blade). It is possible to upgrade to the full SmartEvent version for full reporting. However, it is on ly possible to install one SmanEvent Intro Software Blade per device. To obtain monitoring and correlating firewall events, you would need the full SmartEvent Software Blade.

140

Check Poim Certified Set;lIrit\l Exoert

Sm.rtEvent Architecture

SmartEvent Architecture Three main components arc responsible for producing the log consolidation, correlation and analysis resuhs:

• Correlation Unit (CU) - Analyzes logs looking for pattems according to the installed Evem Policy. When a thrcat pattem is identified, thc forwards an evem 10 the Evcmia Analyzer Server. •

Analyzer Server - Receives events from the CU and assigns a severity level to the event. It invokes any defined automatic reactions, and adds the event to the Events Database, which resides here. The severity level and a utomatic reaction arc based on the Events Poticy. In addition, it impons certain objects from the managemcm server to define the intemal network. Changes made to the objects on the management server are reflected in the client. The Analyzer Server defines automatic responses and manages the database.

e Analyzer Client - The Windows GUt that displays the received events, and manages them for filtering and status (i.e., closed events). It provides tinetuning and installation of the Events Policy.

141

Auditing and Reporting

An example of bow tbe deploymem scenario might look in an enterprise environment is the following: Additional COITIIatIon

Un,

eranc"OI'II~11

Figure 2 - Enterprise Environment

Component Communication Process Before going into any depth about how Smart Event processes work, note the fo llowing differenl Check Point protocols, all of which are utilized here.

....

OPSEC

-

oesEC

~Ac_ ... ~Monlonng

AM'"

""",C

A,pplcabon Monolonn9

"'"

Cq)art API E¥onIlOogong API

Passn "'ntS!rOm Correla~ on UIlI to thl Ma/y.,-----.,---..... --'1 " -

r .. _ _

-~

- --,~ -

___ ." _'h_ " "' ___ ~

,--

Figure 16 -

SmartReporter

'h _"~_

SmartReporter A Consolidation Policy is similar to a Security Policy in tcnns of its structure and management. For example, both Rule Bases arc defined through the SmartDashboard's Rules menu and usc the same network objects. In a ddition, just as Security Rules detennine whether to allow or deny the connections that match them, Consolidation Rules detennine whether to store or ignore the logs that match them. The ke y difference is that a Consolidation Policy is based on logs, as opposed to connections, and has no bearing on security issues. The Log Consolidation Solution diagram illustrates the Consolidation process, defined by the Consolidation Pol icy.

A log matches a Consolidation Rule

I-

19"°""

No record of this log will be saved .

I

-

I-

As Is

I

Figure 17 - Log Consolidation

After the Security Gateways send their logs to the Security Management server, the Log Consolidator Engine collects them, scans them, filters out fields defined as irrelevant. merges records defined as similar and saves them to the SmartReporter Database. The Figure illustrates how the Consolidation Policy processes logs: when a log matches a Consol idation Rule, it is either ignored or stored. If it is ignored, no record of this log is saved in the SmartReportcr system, so its data is not available for report generation. Ifit is stored, it is either saved as is (so all log fields can later be represented in reports), or consolidated to the level specified by the Rule.

R75 Training Manual

153

Auditing and Reporting

The consolidation is perfonned on two levels: the interval at which the log was created and the log fields whose original values should be retained. When several logs matching a specific Rule are recorded within a predefined interval, the values of their relevant fields arc saved "as is", while the values of t heir irrelevant fiel ds are merged (for example, "consolidated") together. The SmartReponer server can thcn extract the consolidated records matching a specific report defini tion from the SmanReponer Database and prcsent them in a rcpon layout.

Report Types Two types ofrepons can be created: •

Standard Reports - The Standard Reports are generated from infonnation in log files through the Consolidation process to yield relevant analysis of activity.

•

Express Reports - Express Reports arc generated from SmartView Monitor History files and are produced much more quickly.

SmanReponer Standard Reports are supported by two Clients: •

SmartDashboard Log Consolida tor rules.

•

SmartReporter Client -

manages the Log Consolidation

generates and manages reports.

The inter.tction between the SmanReporterclient and Server components applies both to a distributed installation, where the Security Management server and SmanReporter's Server components are installed on two different machines, and to a standalone installation, in which thcse Software Blades arc installed on the same machine.

154

Check P()int Certified Securitv F.xnert

Prac:tk:e and Review

Practice and Review Practice Lab Lab 7: SmartEvent and SmartRcponcr

Review Questions 1. What docs the Smart Reporter Consolidation Policy do?

2. What is the difference between a Consolidation Policy, and a Secu rity Policy?

3. When is an event repon ed?

'n~

T ..ninin" Mnmm/

155

Auditing and Reporting

Appendix A

R7~

T.."i"ino Mnnlm/

User Mode Debug

157

User Mode Debug

Running User-Mode Debug There are three main mechanisms that help to address issues in the User-mode processes: •

OPSEC

•

TDERROR

•

HERROR

In order to use these mechanisms, it is importam to understand two different types of code components: 1. OPSEC - Open Platform for Secure Enterprise Connectivity was an infrastructure originally written to allow third party vendors to have an API to Check Point code, and write complimentary components (Le., CVP). This infrastructure was written with a built in debugging mechanism which allowed the developer to define specific conditions within the code (Le., DEBUG_ LEVEL=< 1-9» that will result in thc printing of debug messages. Eventually, development started on native Check Point components which used the OPSEC infrastructure. 2. Native - Most ofthe code/components are written as independent modules which do not use the OPSEC infrastructure. For these components, a newer and more elaborate debugging infrastructure was devised, in which you could define the component (application) you wish to debug within the process. You can definc the context (topic) of the debug for that componenl, and establish conditions with a specific detail level (i .e., TDERROR_ _ =::"»",, .. ih ,

(; ..... " ..,

Running User-Mode Debug

Analyze Debug Output Begin by searching the file for keywords o r phrases that would suggest a fa ilure of some sort. It might be useful to consider what the developer might have used to describe the ki nd of error you arc looking for. Once an error is identified which is believed matches the criteria to the problem, start scrolling up, reading the output of the lines that precede the error to see what went wrong. and collect the relevant infonnation (lP addresses. user names, configuration settings, CIC.) For example, a common problem is having adm inistrators report that they are unable to COMe C! to SmartConsole applications. The error we sec may be ambiguous and hard to derive anything from it. During the forensics examination, try to understand which component in the system is causing the problem. For management scenarios, the most logical suspect will be the FWM process. In this case, note that cpwd_ admin 1 i s t reports all services are up and no previous failures are evident. You shou ld probably also check for connectivity between the GUI client mac hine and the Management server before yo u begin extensive debugging. Run debug on FWM and watch what is ha ppening when the administrator is trying 10 connect:

fw debug fwm on TDERROR ALL ALL=5 tail -fSFWDIRIlog/fwm.elg

R75 Traininf!. Manual

163

User Mode Debug

Now, open the file and scarch for the keyword, "failed". [I'\'VM 2)00 19930165281@splal_RI0_t~GI.li(13!.1.ty 12.51231 "_5efVIe(..,9tCK_tYpe 20 UC Lrty type ~ tpn~ [FIMI2306 19830785281>'t~al R70 tAGltHI 13 !.lay 12:5n3j poky_ query: 1ft el'l::tp]ngITlI.o::!;)I3I_ 0_ r.fGMItiS c~ckpcmltom pp6:i list · CN=Gui J:I:en« [F'M.l 2306 1983078528].msplal_R70_tAGLli( 131.1 ay 12 51231 'ilui_tonntCnon_Sle.J)lugil'l gl/l clerll SIC name on connecnon 20

n.

Login f,it.lI : 192.168.121 .1 i, 1'101 .allo"... d torr. mot. login {f'WLl2306 t~301S5281@splat R70 I.IG ... TI13 ... ay 1251231 lwm log: logm f~,.ed from IP: TII2 16S.12U .CN:GlJ C1ier..-lJn~tiert Wed May 1309:57.23 2.009 (GMT) reject client 'P-I92. 168.12U CN::GlJ_Cli~ [FWM 2306 199 307 8528]:gspl a\_R 70_M OMT[ 13 May 12.57.231P I" y o Jey-quer y. rc e nm 10\,O"1d [F'MA 2300 199307652S1@spl aUHO_MOM T[ 13May 12:51 23] P I,l.J)oky_query finishe d succeso;iully 1 ~ 1'I1C1 t\{ld :: deny

Figure 4 -

elg File

In this case, the output of the debug as shown above shows that searching for the word "failed" displays the relevant line showing that the IP address being used docs not allow remote login and as a consequence, the attcmpt to login was rejccted. The function which failed reported: " Unauthorized client", and can be verified by running cpconfig on the Management Server, and checking the GU I client list. The GUlclient list confirms that the problem was indeed that the IP address fro m which the connection was being made ( 192.168. 12 1. 1), was not defined in the GUI client list of the Management Server. By the way, a good hint to the root cause of the problem is in the line before the failure, where the function is called to check the li st of the GU I clients. The ex.ample was fairly simple and can usually be resolved without even having to debug the system. But what happens if the Administrator fails to login, and it is confinned by running cpwd_ admin list that a service failed to start? You could simply run cps top; cpstart to restart all firewall processes, and hope that the problem goes away, but that doesn't address why the problem occurred in the first place and is not really a solution. Instead, attempt to run the process while in dcbug mode and try to understand the root cause of lhc failure.

164

Check Point Certified Securitv Exoert

Running User-Mod. o.bug

The debug file shows that before the failure, FWM was trying to open the file: / opt/CPshrd-R70/conf/a!c.....p0licy .conf. After reviewing that file , you confirm that for some reason the file got renamed and the "r' is missing from the file extension ".conP'. Renaming the file and running fwm or cps top; cpstart should solve the problem. Sometimes things like fil e permissions or even changed file names cause simplc lookup functions to fail, causing processes to fail to stan. By identifying thc problematic file and checking it, the root cause of the problcm can be detected, and solved immediately.

Perform a Core Dump A core dump occurs when a process crashes. It consists of the process's working memory 's recordcd statc at the time of the crash. Operating Systems are not set to save core files automatically in case ofa crash. Activating core dump in SecurcPlatform can be: • •

Permanent (requires reboot) using the command, um_ core enable Not Permanent (does not require reboot) using the command, ulim! t -c

unlimited In practice , other kcy pieces ofa program's status are usually dumpcd at the same time, such as the processor registcrs, which may include the program countcr and stack pointer, memory management information, and other processor and operating system flags and information. You sho uld be aware of the performance implications whcn enabling core dumps and on ly usc it on a system which suffers from frequent process crashes. In SecurePlatform, you can use the command, ulimi t -a fortesting ifthc core file size is set to unlimited. In SecurcPlatfonn, the core files arc saved in /var / log/dUJDp/ usermode. Usc a free utility for viewing the core fil e. Gdb is a free utility (executable) that you may download from the internet. By running the process from Gdb, you control the process flow and can trace thc failure . Import thc Gdb utility into the core fil e path, and make sure the Gdb utility has execute permissions (i.e., Is - Ia). To open the core file, type. /gdb . For example: ./gdb fwm fWIn. 983. core

RH Trnillin9 MWII/ol

165

User Mode Debug

Since running the process in Gdb requires a background in development and a good understanding of how the OS works, you can simply run the process from Gdb, then run the command, bt in the Gdb prompt. This will print the stack useful to attaching to a Service Request. For example, (gdb) bt. It is recommended to attach the core file with a CPinfo to a Service Request (SR). For example:

(gdb) bt #0 Ox08 I eb9aO in CNesStatusMgr:: RemoveClient(void (*)(E GeneralState, char const*, bool, void*), void*) 0 # 1 Ox082952b9 in CStatusAgentRequest::-CStatusAgentRequestO 0 #2 Ox082a12b4 in CStatusAgentRequest::ReleaseO 0 #20 Ox00857745 in T_event_ mainloop 0 from lopt/CPshrdR6S/lib/libComUtils.so #2 1 Ox08lOedcd in fwm cmain 0 #22 Ox080ed2f9 in fwmbin_cmain 0 #23 Ox080eedd6 in main 0 (gdb) Kernel Debug Unlike the user space debug, where we need to explicitly tum the debug on or off, the kernel always writes debug messages according to preset definitions. In different operating systems, these debug messages arc handled differently. These debug messages are referred to as "console messages", because in most supported operating systems the messages are printed to the console and copied to /var/log/messages or /var/adm/messages. When no buffer is defined in the kernel, messages are sent directly to the OS. When generated in debugging context, error messages are not directed to the console, but to the debug buffer together with all other messages. In Windows, "console messages" are viewed in the Event Viewer. Consequently, before enabling kernel debugging, you must enable the debug buffer, othelWise all messages will be directed to the console.

Running User-Mode Debug Some debugging flags can cause the kernel to dump a lot of infonnation into Ihc buffer (espec ially in loaded systems), and sinee Ihe buffer rewrites over itself as data comes in, you must ensure you read the messages before they are overwritten. In addition, be aware that the debug mechanism was not designed for the layman and docs not contain input validation or error reponing functions. The kernel assumes the inpul is valid and does not always report a failure when it occurs. In this discussion, we will see a few examples of that. The buffer size is limited to 16MB on pre-NGX and 32MB on NGX and above. The command, fw etl zdcbug docs not allow you to configure buffer size. It is crucial to define a large buffer size, otherwise debug messages get lost when they are written over.

It is possible to run fw ctl debug - x, which completely turns off the kernel debug, even Ihe default flags. You should never use the "x"-switch, beeause the default flags should always be left on. To run the debug, use the following commands: • To definc the buffer size, usc the command, fw etl debug -buf

[buffer size] . • To turn on rclevant debug flags, use the command fonnat, fw ctl debug

[-m & filename_out . •

To reset thc debug flags, run the command, fw ctl debug O.

•

Considered a shortcut, the command, fw ctl zdebug -m +1- /all setsabufferof lMB,andonlyone kernel module can be invoked. It collects messages from the buffer and prints them to the shell . It's good for ad-hoc debug tasks, such as, fw ctl

zdabug + dtop.

R 75 Trainillf! Mallllal

167

User Mode Debug

Oebugging Flags You can check which debug flags are cnabled to each module by simply running, fw ctl debug. Don't forget to tum debugging off, using fw ctl debug O. Especially on production systems, it's important not to leave debug flags set, as this might cause a dramatic decrease in performance and produce unexpected messages. This command de-allocates the buffer and automatically kills the "fw ctl kdebug" process. Alternately, you can completely tum off the debug and dc-allocate the buffer using, fw ctl debug -x. But note the earlier comments on this command. The slide depicts a description of the fw etl debug command with a list of the associated flag options. For your reference, the most common flags used for general troubleshooting and enforcement issues are used in the command, fw ctl debug +conn drop vm (ld) . The following detail the purpose for commonly used flags: •

conn - Covers connections table operations

•

vm - Very useful for tracking decisions taken by the virtual machine chain module

•

sync - Covers sync operations. Crucial when debugging in a cluster environment

•

drop - Associates a reason for (almost) every dropped packet

•

ld (Kemeltables infras tructure) - Very useful , but very heavy

•

xlate and xltrc - Used for NAT problems

• packval - Used for sequence verification and translation issues VPN flags will be discussed separately in the VPN chapter.

It is important to emphasize that the debugging mechanism docs not report errors or warnings when you misspell a module name or flag , and it will only specify " updated kernel attributes". Therefore, it is very important to run fw ctl debug -m after every time you make a change during your debug to ensure that the change was indeed implemented.

Check Point Certified Secllrirv F.:rm>rt

Running User-Mode Debug

Kernel Oebugging Tips We mentioned before that when running the user-mode process, fw ctl kdebug, the kernel writes messages in a cyclical fash ion because ofa fixed buffer size. Its important to stress that the size setting be big enough to ensure that the messages we need to see are not overwritten. Note that the firewall will allocate the maximum possible buffer size. So, if you specify a buffer size larger than 321